Highlighted
pankaj@crestdat Absent Member.
Absent Member.
882 views

How to get Additional fields in ESM Web through active channel

Hi,

As per the flex-dev guide, I have added a Additional data field in my parser file at connector as shown below.

additionaldata.enabled=true

/*  Some regex parsing code and assignments to event schema */

additionaldata.test1=__stringConstant("Hello")

additionaldata.test2=event.destinationUserName

On ESM, I created a Active Channel on my connector and want to see these two new fields test1 and test2.

When I go to Columns -> Add/Remove Column -> Additional Data.. I don't see these two fields in dropdown. I entered both of the fields manually to see them as columns.

But I don't get any values in these columns.

How can I get the additional fields on ESM ?

Thanks in Advance,

Pankaj

0 Likes
7 Replies
jefferyhamstra Super Contributor.
Super Contributor.

Re: How to get Additional data field in ESM through active channel

Pankaj,

I think you need to map these columns from the connector; you can send a map command to the connector to see what fields are available, and then map them in ESM.

Let me know if this helps.

Jeff

0 Likes
pankaj@crestdat Absent Member.
Absent Member.

Re: How to get Additional data field in ESM through active channel

Hi Jeff,

Thanks for the reply.

Map command still expects that you map your field with the Arcsight field. The problem is I have too many fields(around 90) and they are very different than the available Arcsight fields. So I want to extract them as a additional fields without mapping them with Arcsight Fields.

Is this possible?

Thanks,

Pankaj

0 Likes
jefferyhamstra Super Contributor.
Super Contributor.

Re: How to get Additional data field in ESM through active channel

I don't think so, I'm fairly certain you need to map them to a specific field in ESM for it to be listed; you could always use a flex or customstring if they're available.

0 Likes
pankaj@crestdat Absent Member.
Absent Member.

Re: How to get Additional data field in ESM through active channel

Thanks Jeff. That clarifies a lot.

So just to confirm, I have various event IDs and I need to extract a few fields in each event iD which are very specific to that event ID. Also these fields do not map to any specific Arcsight fields so I plan to use deviceCustomString1..6. My only concern is that for example If I extract deviceCustomString1 for event ID x and store TESTFIELD1 in it and extract same deviceCustomString1  for event ID y and store TESTFIELD2 in it, wouldn't my customer be confused on the meaning of the deviceCustomString1 which is different for each event ID? Is there any way I can alias deviceCustomString1 to more meaningful name based on my event ID.

My customer's product send its product specific logs to windows application logs hence I am using WUC and writing my own parser because I only need to parse windows application log. But they have very product specific information and fields in these logs.

Will flex connector solve this problem for me if I were to go on that route?

Thanks,

Pankaj

0 Likes
jefferyhamstra Super Contributor.
Super Contributor.

Re: How to get Additional data field in ESM through active channel

Pankaj,

As far as I know, there is no way to generate different custom strings based on eventId; my suggestion would be to tag all your events with different customstrings, use a lightweight rule to generate a list, or create a filter based soley on that custom string, and use those filters to seperate the different events.

0 Likes
pankaj@crestdat Absent Member.
Absent Member.

Re: How to get Additional data field in ESM through active channel

Thanks Jeff.

That means from Smart connector parser, i cant create fields with custom names. I need to do some magic on ESM itself.

Am I correct?

Thanks,

Pankaj

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: How to get Additional fields in ESM Web through active channel

You can label deviceCustomString1..6 whatever you want using:

event.deviceCustomString1Label=__stringConstant(Something)

event.deviceCustomString2Label=__stringConstant(Something else)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.