Does anyone have any documentation on how to use the "merge" parameters in Flex connector development? I've seen some parsers with that keyword in the past and it allows you to merge certain messages together, similar to how multiline parser works, except i believe merge puts messages together based on some commonality in the message. For example, it's perfect for putting together Sendmail logs, where SENDER, ORCPTs, SUBJECT, etc all come in as separate lines via syslog and need to be put together based on the shared MSGID. There is no documentation for it in the Flex Dev guide, but if you do a search, some connector guides refer to various values from merged events (look for "mergedevent")
Alternatively, if someone has already developed such a parser, specifically for Symantec Mail Security Appliances, formerly known as Brightmail Gateway, I'd appreciate it if you could share.
I have few Queries regarding the Merge Operation :
1> Merging the fragments in sequence : How to merge the fragmented segments in right order if the fragments are not received in right order by the ArcSight Connector.
Ex: 1 Event with multiple Segment and Packets but it is an Singe Event though but the Order of Events are Varying in Order.
<181>Sep 27 03:19:18 cise_prod CISE_Administrative_and_Operational_Audit 00000001234 2 0 2013-09-27 03:19:18.704 +00:00 0000037414 52000 NOTICE Configuration-Changes: Added configuration,
<181>Sep 27 03:19:18 cise_prod CISE_Administrative_and_Operational_Audit 00000001234 2 2 Name=LDAP_farm2\\\,Subjects In Groups Are Stored In Member Attribute As=Distinguished
<181>Sep 27 03:19:18 cise_prod CISE_Administrative_and_Operational_Audit 00000001234 2 1 Name=LDAP_farm2\\\,Subjects In Groups Are Stored In Member Attribute As=Distinguished
2> Method to capture the fully merged event for further processing through Tokens or Field Regex's.
The parser executes all instructions(parsing code) in every pass and tokens are mapped with information from current segment. If I need to parse the fully merged event using submessages or extraprocessors, how do I achieve this?
If there is any way to Parse Further on Field Regex's but how Effective Will it be after Parsing the Merged Field
Any Suggestions on this
At the end, have you written a whole flex with the merging feature, or re-used the smartconnector, and written an override for the merging ?
I am in the same situation and would like to know, before doing it myself.