Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Captain
Captain
425 views

How can I extract a value contained in the message field?

Hi,

I'm getting lost in figuring out what is the best and easiest solution to extract a number contained in the Message field. An example of two message fields are as follows:

208 violations recorded for user1- Number of violations exceeds the configured
4344 violations recorded for user2 - Number of violations exceeds the configured

What I would like is to extract and assign the initial value of 208 and 4344 value to a deviceCustomNumber1 fieldset.

The smart conenctor is not a flex but a standard ArcSight syslog. I have read about using a map, conditional map, parser override, subparser, __regexToken () and extraprocessor ... but maybe some submessage lines may be enough but I didn't understand if I should treat them as a parser override by placing the commands in the FCP folder and create a file with a well-defined name ...

Could you please give me some advice on the best method and if possible have an example?

Thanks for your help

Roby

0 Likes
8 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi

Can you share the logging device / application details, event name and the version of SmartConnector you are using?

A regex map file would likely be the way forward - but sometimes you may find some of the parsing is already going to AdditionalData fields that already exist?

 

 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

yep, could be a onliner, if we would know a bit more about the source of your logs..

0 Likes
Lieutenant
Lieutenant

IMO, the easy way is to use map file or even better - categorizer map file.

An example of such map file (no getters, just setter, but you can add some getter to specify which event will be evaluated by this map):

set.expr(message).event.deviceCustomNumber1

__regexToken(message, "(\d+)\s*violations recorded for.*")

Captain
Captain

Hello to all of you who have replied to my post.
The log message is the only thing I have because the customer has a strong separation of roles and it is not possible for me to view or know about the SmartConnector. This frees me from having to do it myself by asking them to do it,  but my curiosity to know remained.
I think I understand how to do it , putting the 2 line in the file map.properties somewhere , but if you had an example ready (map file name and log) without expecting to waste too much of your time I would be very happy to see it.

 

Thanks

Roby

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

@peter.vnencak 's post is a great answer to your needs, but if you can tell us the Log Source (vendor / product / version) then there may be an easier option - i.e. upgrade connector, map additionaldata field etc.

0 Likes
Captain
Captain

Yes kevquinlan, Peter answer is a good suggestion.

I'm realize days ago I can not get more information due the reason of segregation of duty.

All I know is the event example , the SC is a Flex , and I need the number from the message part"

208 violations recorded..." 

And " the easy option ..." is what i m looking for at the original post .

I'll try to install a test flex SC parse the event and apply the Peter suggestion. Then take the evidences and how-to and pass it as "suggestion" asking them to modify the flex.

That is the reason i'm asked a complete example for it... but no problem you just provide me a good answer to test.

Thanks

Roby

Knowledge Partner Knowledge Partner
Knowledge Partner

You said originally this was a standard Syslog Connector, not a Flex? 

If it is a flex, then i would look to update the flex .properties file to extract the information you want during the first parsing.

If it is a standard SmartConnector - then it may already be mapped in additionalData and could be extracted from there, or go down the map.n.properties route suggested above.

good luck

0 Likes
Captain
Captain

Yes, you re correct it is not a flex, is syslog.  It is my mistake confusing it with other post.
agent log says:

[INFO] [default.com.arcsight.agent.f3] [logStatus] {Agent Type = syslog, Agent Version = 7.9.0.8084.0

Roby

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.