Local and Global Variable
I want to understand the use of local variable and global variable in Arcsight ESM. Please share any example, like in what situation we can use these.
Re: Local and Global Variable
I would recommend reviewing the ArcSight ESM Console User Guide for your version for a full explanation of local and global variables. In the 6.8c guide, information can be found in Chapter 25 - Reference Guide - under the heading of 'Variables' (pg. 982). Additional information is located in Chapter 13 - Global Variables (pg. 445).
A brief description is that variables are simply fields derived from other pieces of data. A local variable can only be used within the resource it is associated with, and global variables can be used and referenced nearly anywhere.
A few simple use cases:
- Calculate the time difference between two timestamps using the 'TimeDifferenceInSeconds' function.
- Retrieving a value from an ActiveList based on a lookup of another field using the 'GetActiveListValue' function to provide data enrichment in the event.
- Parse and normalize data; for example, suppose you receive information pertaining to a file containing the full path (for example, 'C:\windows\System32\drivers\etc\hosts') but you want to work on just the file name (hosts). You could create a variable to identify the index of the last path delimiter ('\') using the 'LastIndexOf' function, create a second variable to identify the starting index of the filename using the 'Add' function (incrementing the value of the previous variable by 1) and finally parsing the full filename using the 'Substring' function.
Let me know if that helps!