pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

Thanks for highlighting issues which I had observed during my troubleshooting

After lot of troubleshooting, I managed to parse most of the fields.

Now stuck at 2 points.

1. I have user ID filed which contains data like "ROY0644" or null. Which field I can use to map this data and How I can achieve this ?

2. Other field is session ID which contains data like "O:7122223" . How I can extract only number and and map it to one of the field. If that is not possible how I can map as it is data ?

Please assist in the same.

Thanks & Regards,

Pratik

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Patrik,

Great news for the parser working nearly correctly.

For User ID, you may use the arcsight field you used already sourceUserId (it is a string)

For Session ID, you may used deviceEventClassId because this field should be used in ArcSight.

To extract number only you may use __regexToken or event better the function __split

Regards

Michael

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

Thanks for quick response.

User ID filed contains data as characters as well as numbers, Will it be accepted as String. Can you give me example of mapping for User Id "ROY0644".

For Session Id "O:7122223" how I can use __regexToken or event better the function __split. Because I tried those options but its not giving output.

Can you help with example?

Thanks & Regards,

Pratik

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Patrik,

You may have number considered as char this why for User ID (string = char) you may use event.sourceUserId=USER_ID.

Then for SESSION_ID, it depends if you would like to have number in this case, you have to use regexTokenAsInteger or __splitAsInteger and regarding arcsight field, you will use deviceCustomNumberX fields.

But you have to use the field deviceEventClassId to permit to ArcSight to work properly.

In fact this field should be unique so I advice you to use deviceEventClassId for SESSION_ID complete and then you another integer field mentioned above to the extracted number.

Thanks

regards

Michael

0 Likes
Highlighted
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

Thanks for assistance.

All issues have been sorted out. I declared SESSION_ID as string and mapped it to deviceEventClassId. Same for User ID.

Thank you all.

Regards,

Pratik

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.