Highlighted
rohanparath Absent Member.
Absent Member.
786 views

Token function on submessages

Jump to solution

Hi All,

I have been trying to figure this for sometime now and i do not see where I am going wrong. Extract of my properties files

submessage[0].pattern.count=1

submessage[0].pattern[0].regex=\\S+\\s(\\d{1,2}\\/\\d{1,2}\\/\\d{1,2})\\s\\S+\\s(\\d{1,2}\\:\\d{1,2}\\s\\S+)\\s

submessage[0].pattern[0].fields=event.deviceCustomString1,event.deviceCustomString2

submessage[0].pattern[0].extramappings=event.flexDate1\=__createOptionalTimeStampFromString(__concatenate(event.deviceCustomString1,event.deviceCustomString2),dd/MM/yy HH\:mm aa)

My sub message token

System_Date: 3/14/14 System_Time: 10:41 PM

When running this through the ArcSight regex helper I always get the error,

FATAL EXCEPTION:

com.arcsight.agent.parsers.operation.WrongArgumentsException: Unable to create time stamp with value as [], format as [dd/MM/yy HH:mm a]

        at com.arcsight.agent.parsers.operation.createOptionalTimeStampFromStringOperation.getResult(createOptionalTimeStampFromStringOperation.jav

a:77)

        at com.arcsight.agent.parsers.j$d_.a(j$d_.java:1395)

        at com.arcsight.agent.parsers.j.a(j.java:763)

        at com.arcsight.agent.parsers.j.a(j.java:640)

        at com.arcsight.agent.sdk.a.r.a(r.java:425)

        at com.arcsight.agent.sdk.a.r.a(r.java:311)

        at com.arcsight.agent.sdk.a.t.i(t.java:93)

        at com.arcsight.agent.sdk.util.RegexTester.testRegex(RegexTester.java:1069)

        at com.arcsight.agent.sdk.util.RegexTester.loadState(RegexTester.java:893)

        at com.arcsight.agent.sdk.util.RegexTester.<init>(RegexTester.java:780)

        at com.arcsight.agent.sdk.util.RegexTester.main(RegexTester.java:2202)

I am not sure why does it now see the value, because when I look at the value for deviceCustomString1 and deviceCustomString2 I see the correct values, on the ArcSight regex helper window (Capture2.PNG).

Any help would be great.

Thanks

Rohan

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Vandaag Respected Contributor.
Respected Contributor.

Re: Token function on submessages

Jump to solution

Hello Rohan,

You cannot use event fields in the ArcSight functions. you can only use tokens in the functions.

You need to replace the deviceCustomStrings with $1 and $2 so the line would be like:

submessage[0].pattern[0].extramappings=event.flexDate1\=__createOptionalTimeStampFromString(__concatenate($1,$2),dd/MM/yy HH\:mm aa)

Regards,

Richard

0 Likes
4 Replies
Vandaag Respected Contributor.
Respected Contributor.

Re: Token function on submessages

Jump to solution

Hello Rohan,

You cannot use event fields in the ArcSight functions. you can only use tokens in the functions.

You need to replace the deviceCustomStrings with $1 and $2 so the line would be like:

submessage[0].pattern[0].extramappings=event.flexDate1\=__createOptionalTimeStampFromString(__concatenate($1,$2),dd/MM/yy HH\:mm aa)

Regards,

Richard

0 Likes
rohanparath Absent Member.
Absent Member.

Re: Token function on submessages

Jump to solution

Perfect!!!! thanks a lot for your help Richard. That just did the trick.

Thanks and Best Regards,

Rohan

0 Likes
rohanparath Absent Member.
Absent Member.

Re: Token function on submessages

Jump to solution

Hi Richard,

Just wanted to check, can I use the createTimeStamp function instead. The question I have is what would I use for the event field mapping. From the Flex guide, I could find any field that is of Date or Time type.

If I use the below lines

submessage[0].pattern[0].regex=\\S+\\s(\\d{1,2}\\/\\d{1,2}\\/\\d{1,2})\\s\\S+\\s(\\d{1,2}\\:\\d{1,2}\\s\\S+)\\s

submessage[0].pattern[0].fields=event.additionaldata.date,event.additionaldata.time

submessage[0].pattern[0].types=Date,Time

submessage[0].pattern[0].formats=dd/MM/yy,HH\:mm aa

submessage[0].pattern[0].extramappings=event.flexDate1=__createTimeStamp($1,$2)

I get the error

FATAL EXCEPTION:

com.arcsight.common.introspection.InvalidFieldException: Invalid field name: additionaldata.time, for class com.arcsight.event.SecurityEvent

Is it that the createTimeStamp cannot be used in sub messages. I have used the same mapping when it was not in the sub message and it worked fine, only if I use it in the sub message do I see this issue.

The reason I want to use createTimeStamp is that in the earlier way, I would have to use CustomString1 and CustomString2 for this mapping. With the list of other events coming in next, I would rather have the CustomStrings available for other field mappings.

Thanks for your help in advance.

Regards,

Rohan

0 Likes
Vandaag Respected Contributor.
Respected Contributor.

Re: Token function on submessages

Jump to solution

Hello Rohan,

I have not yet used the createTimeStamp function, but you should be able to use any function in the sub messages.

I am not sure if this is a copy and past error, but the = sign after event.flexDate1 needs to be escaped as you did in the original sample.

Regards,

RIchard

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.