Map device receipt time -> End time

pedrochaves · ‎2015-08-04

Hello,

Is it possible to map the device receipt time to the field end time without using a rule?

Regards,

Pedro Chaves

mschleich · ‎2015-08-04

Hi Pedro,

You may use map files on the connector but if you do that you will not be able to detect Time Issue.

Why you want to do this mapping?

If you have a huge difference it is maybe an useful information to take into consideration.

Now if it is short time, you may use Time Correction feature in Connector configuration.

I hope this information will be helpful.

Thanks

Kind Regards

Michael

pedrochaves · ‎2015-08-04

Hi Michael,

Thank you for the reply.

We install a non supported connector and there is a issue on mapping the timestamps.

This is a temporary fix until the supported version is released.

Do you know how do I use the properties map to do this?

Thank you in advance.

Kind Regards,

Michael

mschleich · ‎2015-08-04

Hi Pedro,

You have to modify the map.0.properties file placed in /ARCSIGHT_HOME$/Curent/user/agent/map directory

with the correct.

Maybe this will work in replacing <device vendor of the connector> by the correct value without <>.

event.deviceVendor,set.event.endTime

<device vendor of the connector>,deviceReceiptTime

Do not forget to restart the connector and check in agent.out.wrapper.log for this ERROR

If it is not working, You need to use set.expr, I can try to provide you a proper answer tomorrow.

If it is urgent, you may check in the Flex Dev Guide PDF, there are some pages about that.

Thanks

Kind Regards

Michael

Shaun · ‎2015-08-04

Try:

map.0.properties:

set.expr(deviceReceiptTime).event.endTime

deviceReceiptTime

pedrochaves · ‎2015-08-05

Hi,

Thanks for the reply.

I've tried those configurations and it doesn't seem to be working.

Regards,

Pedro Chaves

rhope · ‎2015-08-05

Which one of the two fields is currently set with the correct value? End Time or Device Receipt Time?

pedrochaves · ‎2015-08-05

Hello,

Device Receipt Time.

mschleich · ‎2015-08-05

Hi Pedro,

Could you please try in map.0.properties

event.deviceVendor,set.expr(deviceReceiptTime).event.endTime

<correctdevicevendor>,deviceReceiptTime

You have to restart the connector to permit this to work or to use the console to reload map files.

Thanks

Kind Regards

Michael

pedrochaves · ‎2015-08-06

Hello Michael,

It doesn't work.

map.0.properties:

Events:

Regards,

Pedro Chaves

mschleich · ‎2015-08-06

Hi Pedro,

You have asked for deviceReceiptTime!

With agentReceiptTime it is not possible because the agentTime arrive after the parsing of events.

Could you please show endTime and deviceReceiptTime to see if there are not equal?

Thanks

Kind Regards

Michael

ESM

Smart Connector