Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
ahof6480 Regular Contributor.
Regular Contributor.
110 views

How to use map file for a field extracted with an acp/fcp file?

Standard syslog smartconnector.  A vendor includes additional field called "target" that we have a simple fcp file for.  Without an extra fcp file, the target field is never assigned to any arcsight schema field, so we solved that problem with an ngmappings file.  

it's very simple, like this:

file is ngmappings.adatamappings.properties

Only has 1 line:

event.deviceCustomString1=target

But now we need to map additional fields depending on what deviceCustomString1 is set to, but a simple map file doesn't work.  The map file gets processed before the ngmappings file above so the map file never accomplishes anything.  

For example of my getter/setter: 

event.deviceCustomString1,set.event.deviceCustomString2

value1,"some value"

Is there a way to make the SmartConnector process the map file after ngmappings?  or is there a better way to accomplish this?

0 Likes
1 Reply
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to use map file for a field extracted with an acp/fcp file?

@ahof6480 

I think the key word for your search is "additionalregexparsing" ... not easy to explain, but i think you will find some good hints here:

https://community.microfocus.com/t5/Archive-Discussion-Board/Reparse-data-stored-in-event-fields-gt-additionalregexparsing/td-p/1573440 

and here :

https://community.softwaregrp.com/dcvta86296/attachments/dcvta86296/arcsight-discussions/1593/1/Reparsing%20Data%20in%20ArcSight%20Fields.pdf


Cheers

A

Edit: you can access the whole event via

source.field=event.rawEvent
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.