How to populate the events in active channel from datamonitor

AarushJ · ‎2016-08-19

Hello

I looking how to populate the events in active channel from data monitor/ dashboard, my concern is when I click the event in a data monitor/dashboard it has to appear in the active channel but somehow it is not working. How can I do it please guide is there is a way or any document to be follow.
It is highly appreciable if anyone can help in this,

Thanks,
Anchal

AJ

AarushJ · ‎2016-08-19

please help

AJ

prentice@hpe.co · ‎2016-08-19

It depends on the data monitor (DM). Some automatically bring up an active channel, and some do not.

Which DM are you expecting to create an active channel?

One way to tell if it will create an active channel when you click on the DM is to edit the DM and see if there is an attribute/setting for a field set. It there is, it will create an active channel. If there is not, it probably won't.

Volker Michels · ‎2016-08-19

Hello,

it's pretty simple, create an Active Channel with Generator URI starts with (or = if you want to have a specific monitor) ... and specify the path:

Volker

AarushJ · ‎2016-08-19

Hi Volker,
I asking like I m having a Dashboard which represents the top attacker IP's and their count, so when I click over the 1st IP with the highest count then that should be drill down to a active channel.
The way you suggested is useful when we are looking for a single event particularly but I want that however I click to and event in the dashboard it will drill down to a active channel.
Thanks for sharing your input its useful too.

AJ

AarushJ · ‎2016-08-19

Hello Prentice,
Can you provide me the screenshot or any steps how can I go with what you have suggested.
It will be helpful too.

AJ

Pushpendra_Rathi · ‎2016-08-19

Which dashboard are you using? Is it a default one which isn't working or custom dash created by you?

Before troubleshooting further, make sure you have assigned a field set in the respective data monitor by editing it..

Regards

Pushpendra

Sent from my iPhone

gregkap · ‎2016-08-19

Maybe what you want to do is populate an active list? If I understood correctly what you should do is create a lightweight rule that populates an active list with specific fields that you want.

If you're just looking for a specific event (event_name, IP, etc.), you can always right click on dashboard and click investigate in order to create an active channel and then add anything else you want to in the current filter. That's pretty obvious but sometimes the easiest way may be the solution.

Pushpendra_Rathi · ‎2016-08-19

No she doesn't want populate an active list but just a simple question about opening a active channel by double clicking on any dashboard, it normally shows up all respective events.

AarushJ · ‎2016-08-19

Thanks for the valuable response to the problem ihope may ill be not very clear by the words below are the snaps please look to it:
May this

May this will help to understand better about what I m asked a ques.
I m using a Customized one that is bucketized .

AJ

gregkap · ‎2016-08-19

OK!! Your problem is that you can't use the InActiveList in an active channel. What you want to do can't be done. Sorry for misunderstanding earlier but this is an arcsight issue that doesn't let you use any active lists included as conditions in an active channel.

prentice@hpe.co · ‎2016-08-20

Actually, if your active list has key fields, you can use a getActiveList function (variable) to replace the inActiveList condition (getMyAcitveList.key1 IS NOT NULL), and then your active channel drill-down will work.

ESM