Highlighted
Honored Contributor.
Honored Contributor.
2505 views

Mapping one field to another with map file or rule

Jump to solution

Hello,

I am hoping to better understand the best practises when mapping the contents of of field to another.

My question is whether it is better to map the contents of one field to another at the connector level using a mapping file or whether I should populate the empty field with a rule via the console.

A little more explination:

I wish to put the contents of deviceHostName into the currently empty field sourceHostName.

I originallly thought of creating a maping file with the contents of:

map.0.properties

event.sourceHostName,set.event.sourceHostname

event.deviceHostName

*I am unaware if this the correct syntax as i am new to mapping files*

Or should i create a rule which populates sourceHostName from deviceHostName.

I will eventually be using these events to create data monitors and reports.

Any advice is welcome and thank you in advance for your replies.

Regards

Jack

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Re: Mapping one field to another with map file or rule

Jump to solution

set.expr(deviceHostName).event.sourceHostName

deviceHostName

View solution in original post

4 Replies
Outstanding Contributor.
Outstanding Contributor.

Re: Mapping one field to another with map file or rule

Jump to solution

Hello Jack

As long as you can achieve the mapping using the connector this is always preferable to using the ESM itself

BTW why do you need to copy the same data from one field to another rather than just using the original field as the one in your data monitor or report?

Best regards

David

 

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: Mapping one field to another with map file or rule

Jump to solution

Hello David,

Thank you for your reply.

The reason is because although the device.hostname ect fields are are populated the source fields are not but the destination fields are. Therefore for readabillity and to make the reports as clear as possible i wish to use source/destination instead of device/destination.

Could you tell me how i may accomplish this using a map file? is my syntax correct?

Thanks again

Regards

Jack

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Re: Mapping one field to another with map file or rule

Jump to solution

set.expr(deviceHostName).event.sourceHostName

deviceHostName

View solution in original post

Highlighted
Honored Contributor.
Honored Contributor.

Re: Mapping one field to another with map file or rule

Jump to solution

Thank you Shaun, this worked.

Do you know where i can obtain more information on how to map events? Also does this populate the whole of the source category or just the host name as other fields are now mapped in the source category but that may have been done automatically by arcsight.

Once again thanks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.