I am hoping to better understand the best practises when mapping the contents of of field to another.
My question is whether it is better to map the contents of one field to another at the connector level using a mapping file or whether I should populate the empty field with a rule via the console.
A little more explination:
I wish to put the contents of deviceHostName into the currently empty field sourceHostName.
I originallly thought of creating a maping file with the contents of:
*I am unaware if this the correct syntax as i am new to mapping files*
Or should i create a rule which populates sourceHostName from deviceHostName.
I will eventually be using these events to create data monitors and reports.
Any advice is welcome and thank you in advance for your replies.
As long as you can achieve the mapping using the connector this is always preferable to using the ESM itself
BTW why do you need to copy the same data from one field to another rather than just using the original field as the one in your data monitor or report?
Thank you for your reply.
The reason is because although the device.hostname ect fields are are populated the source fields are not but the destination fields are. Therefore for readabillity and to make the reports as clear as possible i wish to use source/destination instead of device/destination.
Could you tell me how i may accomplish this using a map file? is my syntax correct?
Thank you Shaun, this worked.
Do you know where i can obtain more information on how to map events? Also does this populate the whole of the source category or just the host name as other fields are now mapped in the source category but that may have been done automatically by arcsight.
Once again thanks