Severity Mapping doesn't work
Hello everyone !
I'm quite newby on arcsight products, so maybe i'm doing something wrong, but I can't have the severity mapping working correctly on my Flex file.
Let me explain :
In the log source, I have an ID (0,1 or 2). It's collected with a regex correctly.
Then i put the value in a token :
And do the link with a field :
Until now, all is working fine. I read the correct deviceSeverity value in this field.
But, I’m now trying to put a severity depending on this ID :
It doesn’t work. I still get “unknown” in severity field.
Can you help me to make the severity.map working please ?
Not using flex to much these days, but from what i can find on similar questions, you are using an "," instead of ".." between 0 and 1.
The "," might mess up your syntax?
Try this one:
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
You have a syntax error. Below is what you have. Get rid of "event" with "if.event.deviceSeverity"
It should be as follows:
I've tried both solutions,
but i'm still getting "Unknown" Severity.
When I look at agent.log, the only lines speaking about "severity" stuff are below :
[2018-05-15 16:30:06,775][INFO ][default.com.arcsight.agent.d0.e][getInputStream] Resource [junos_syslog_devicetoagentseverity_map.csv] found in [/opt/arcsight/connector/current/system/agent/fcp/arcsightagents.aup|syslog junos_syslog_devicetoagentseverity_map.csv.arc]
Which is not relevant since logs are not from junos_syslog. I've anything else on log file.
Any idea to let me understand what is wrong with this field ? Should I use something else than "deviceSeverity" field ?