Highlighted
gwnj
Senior Member.
305 views

Match event to two Active List columns

I wanted to know if anyone has ever been successful matching two active list fields (one key and one non-key) to one event field for a report.  In a nutshell, if I have an active list showing domain location and domain name(mapping to attacker or target host name with a variable)...am I able to query on both and match them to an event?  When I only query on the domain name key field, the report seems to take forever to run and never finishes.   I am using "get list" and "custom condition variables" and a fields-based list with one key field.  How can I use the non-key field to help narrow down the list searching if that field is not an arcsight field? I want the report to show me all active list and base event values when that domain name showed in an event.  But if I add a variable using the domain location field, I get SQL join errors when testing in a query viewer.  

0 Likes
1 Reply
Honored Contributor.. brian.chong@hpe Honored Contributor..
Honored Contributor..

Re: Match event to two Active List columns

could you post 2 AL  you've mentiond on this post so that I have a better idea? If you can post the arb package, then would be better so that I have a better understading of your content.

thanks,
Brian Chong

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.