How to use map file for a field extracted with an acp/fcp file?
Standard syslog smartconnector. A vendor includes additional field called "target" that we have a simple fcp file for. Without an extra fcp file, the target field is never assigned to any arcsight schema field, so we solved that problem with an ngmappings file.
it's very simple, like this:
file is ngmappings.adatamappings.properties
Only has 1 line:
But now we need to map additional fields depending on what deviceCustomString1 is set to, but a simple map file doesn't work. The map file gets processed before the ngmappings file above so the map file never accomplishes anything.
For example of my getter/setter:
Is there a way to make the SmartConnector process the map file after ngmappings? or is there a better way to accomplish this?
Re: How to use map file for a field extracted with an acp/fcp file?
I think the key word for your search is "additionalregexparsing" ... not easy to explain, but i think you will find some good hints here:
Edit: you can access the whole event via