Highlighted
Valued Contributor.
Valued Contributor.
1950 views

How to take the Count of an Entry from Active List

Jump to solution

Hi All,

I need to take the count of an Entry from active list?Is it possible with Variable?

Regards

Arjun

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

What ESM version are you using?

There is a new feature in v6.9.1c:

List Enhancements

Active Lists

You can now include the Count, Creation Time, and Last Modified Time fields in your active lists.

Alternatively, you can do something like this:

Set up a rule with filter:

DeviceEventClassID = activelist:103

File name = <Name of Active List>

The number in "DeviceCustomNumber1" is the count-value from the active list.

Set an action to add this number to a new active list.

View solution in original post

0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

Hi Arjun,

you need to query an active list with a given condition or filter, right? You can simply build a query on that active list and insert the condition you need.

Bye

Alex

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Hi Alex,

Is there any way to add the output of this query to an Active List?

Regards

Arjun

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Arjun,

sorry but...what is the goal? According to my knowledge an active list can be filled up only with rules.

Bye

Alex

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

ActiveLists can also be populated from Trends

0 Likes
Highlighted
Absent Member.
Absent Member.

In addition, an active list can be populated by importing a csv file. It could also be manually edited via right-click menu. The ESM Console User's Guide contains good information about active lists. I suggest you read that to get a good understanding of what you can do with them.

Warm regards,

Erdy Suarez

HP ArcSight Technical Consultant

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Arjun,

as said here is the solution achieved during our private talk .

You have a rule that checks for account locks-out. Build a second one and just add to it a variable (let's call it "lockout_trigger") that uses the "GetActiveListValue" function. This function evaluates a field extracted from the event evaluated by the rule (the username in your case) and returns the value associated in the active list (that should be the number of accounts lock-out events added by the first rule). After that, just add another condition that evaluates lockout_trigger>5.

Let's suppose the active list will look like this (Username have to be set as key field):

Username     Count_of_locks

morgan        2

taylor           6

murray         1

...                ...

Now, building a lockout_trigger variable with the "GetActiveListValue" function, you will combine "Username" with the field containing the username in your events (let's suppose destinationUserName). After that, when the value "taylor" is found in an event, for that event you will get access to the value of lockout_trigger.Count_of_locks that is the number of locks identified for that user up to now. Thus, you can simply set an additional condition "lockout_trigger.Count_of_locks>5".

Bye

Alex

0 Likes
Highlighted
Absent Member.
Absent Member.

What ESM version are you using?

There is a new feature in v6.9.1c:

List Enhancements

Active Lists

You can now include the Count, Creation Time, and Last Modified Time fields in your active lists.

Alternatively, you can do something like this:

Set up a rule with filter:

DeviceEventClassID = activelist:103

File name = <Name of Active List>

The number in "DeviceCustomNumber1" is the count-value from the active list.

Set an action to add this number to a new active list.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.