Thanks for highlighting issues which I had observed during my troubleshooting
After lot of troubleshooting, I managed to parse most of the fields.
Now stuck at 2 points.
1. I have user ID filed which contains data like "ROY0644" or null. Which field I can use to map this data and How I can achieve this ?
2. Other field is session ID which contains data like "O:7122223" . How I can extract only number and and map it to one of the field. If that is not possible how I can map as it is data ?
Please assist in the same.
Thanks & Regards,
Great news for the parser working nearly correctly.
For User ID, you may use the arcsight field you used already sourceUserId (it is a string)
For Session ID, you may used deviceEventClassId because this field should be used in ArcSight.
To extract number only you may use __regexToken or event better the function __split
Thanks for quick response.
User ID filed contains data as characters as well as numbers, Will it be accepted as String. Can you give me example of mapping for User Id "ROY0644".
For Session Id "O:7122223" how I can use __regexToken or event better the function __split. Because I tried those options but its not giving output.
Can you help with example?
Thanks & Regards,
You may have number considered as char this why for User ID (string = char) you may use event.sourceUserId=USER_ID.
Then for SESSION_ID, it depends if you would like to have number in this case, you have to use regexTokenAsInteger or __splitAsInteger and regarding arcsight field, you will use deviceCustomNumberX fields.
But you have to use the field deviceEventClassId to permit to ArcSight to work properly.
In fact this field should be unique so I advice you to use deviceEventClassId for SESSION_ID complete and then you another integer field mentioned above to the extracted number.
Thanks for assistance.
All issues have been sorted out. I declared SESSION_ID as string and mapped it to deviceEventClassId. Same for User ID.
Thank you all.