New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Absent Member.
Absent Member.
796 views

How to find the Active and In-active rules in the ESM

Hi,

I would like to know the ways to find the running rules and ideal rule in the ESM, meaning to say there are so many rules implemented in the ESM since there are so many rules unable to find out which are active and triggering and which rules are not.

It would be of a help if some can share about find the active and inactive rules in the ESM.

Hi Let me re-prase my question.

I have folder in Real-time Rules, called "ABC content".

under this folder there are many other folder's and each folder has rules, in which some are active (meaning enabled) and some are in-active (disabled).

Real Time Rules folder:

-----------------

ABC content

     ----A1

        --Rule 1 (active)    

        --Rule 2 (active)

        --Rule 3 (active)

        --Rule 4 (in-active)

     ----A12

        --Rule 1 (active)    

        --Rule 2 (active)

        --Rule 3 (active)

        --Rule 4 (in-active)

     ----A13

        --Rule 1 (active)    

        --Rule 2 (in-active)

        --Rule 3 (active)

        --Rule 4 (in-active)

     ----A14

        --Rule 1 (active)    

        --Rule 2 (active)

        --Rule 3 (active)

        --Rule 4 (in-active)

     ----A15

        --Rule 1 (active)    

        --Rule 2 (active)

        --Rule 3 (active)

        --Rule 4 (active)

Now requirement is to fetch all the active (enabled) and in-active(disabled) rules under main folder (ABC content) in form for report.

is there a way to get this? when I right click and export in HTML I can see all the rules under each folder but does not provide the rule is active / in-active.

I can get this in term of glance , which are active and in-active, but how to get in form of report?

Labels (2)
Tags (2)
0 Likes
5 Replies
Highlighted
Commodore
Commodore

Any rule deployed as Real time will generate realtime correlation alerts. So under "Real Time Rules" group are the active rules.

Rule which is not showing in Real Time group is not active.

Hope this helps

Manoj S.

Manoj S.
0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

It's something of an edge case, but you also need to take scheduled rules and potentially data monitors into account too 

0 Likes
Highlighted
Captain
Captain

Hello,

Please check below dashboard in ESM.

/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Rules/Rules Status

Regards,

Ameer Mane

0 Likes
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

You could do an archive export or package of your real-time rules folder and parse the resulting XML to determine what you are looking for.

0 Likes
Highlighted
Absent Member.
Absent Member.

Dear ​,

In general, rules which are created and deployed in Real Time rules will be up and running in real time cases. If you wanted to monitor them with another use case you can look for dashboards at : All Dashboards/ArcSight Administration/ESM/System Health/Resources/Rules/Rules Status

Regards,

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.