Highlighted
Oliver843 Honored Contributor.
Honored Contributor.
2116 views

Use Local Variables On Set Event Field Within A Join Rule

Jump to solution

Hello,

I have a rule question about using variables from two events.

Overview

I wish to create one event which has the information of several other events contained within it. With the help of other Protect724 users i have achived this to some degree by writing a rule which uses a key field contained in all the events and then extracting another non-key field and put this event into an active list. I then wrote another rule to do the same thing for another event. I then created a local variable which uses an Indexof on the devicecustomstring 4 field which contains the two events seperated by a pipe symbol. I successfully pull out the key field into variable Value1.

I then used a matching condition so that event1.Value1 = event2.Value1.

Value1 equals the key field.

So i now have two events within my correlation event where, i believe the varibles should equate to:

  • event1.Value1= the key field = 1234
  • event2.Value2= the key field = 1234
  • event1.Value2= the first non-key event G:\
  • event2.Value2= the second non-key event TestFile.txt

The Problem

I need to set these event fields in the new event before i populate another active list with the final formatted event. I know that the event1.Value1 and event2.Value2 variables must be being populated because i have two events in my correeventlation event that match on this field. However, when i try to set the message field to $event1.Value2 and the name field to $event2.Value2 my active list only gets populated with the text $event1.Value2 and $event2.Value2 and not the data that is contained within those variables.

Am i right in thinking that these variables do contain the information i require?

If i set the event as $Value2 it will set it as G:\ which is the vaule of the first event.

So is proccess correct? and if so is there a known problem with setting fields with joined rule variables?

Any insight you could offer would be greatly appreciated.

Kindest Regards

Oliver

Labels (1)
0 Likes
1 Solution

Accepted Solutions
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution

Hi Oliver

Please review this previous post

https://community.saas.hpe.com/t5/ArcSight-Questions/Override-Name-in-Join-Rule/qaq-p/1598167/comment-id/62223#M62223

Also instead of using index of you can you a velocity variable that looks like this

#set($tempvar=$deviceCustomString4)$tempvar.replaceAll('(.*?)\|.*','$1') for the first token (first pipe)

or the second pipe etc

#set($tempvar=$deviceCustomString4)$tempvar.replaceAll('.*?\|(.*?)\|.*','$1')

Best regards

David

0 Likes
5 Replies
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution

Hi Oliver

Please review this previous post

https://community.saas.hpe.com/t5/ArcSight-Questions/Override-Name-in-Join-Rule/qaq-p/1598167/comment-id/62223#M62223

Also instead of using index of you can you a velocity variable that looks like this

#set($tempvar=$deviceCustomString4)$tempvar.replaceAll('(.*?)\|.*','$1') for the first token (first pipe)

or the second pipe etc

#set($tempvar=$deviceCustomString4)$tempvar.replaceAll('.*?\|(.*?)\|.*','$1')

Best regards

David

0 Likes
Oliver843 Honored Contributor.
Honored Contributor.

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution

Hello David,

Thanks again for your reply,

I have reviewed the previous comment and while the information in there is valuable it refferes to setting the field of the new correlation event with information already set within the joined events.

While there maybe a workaround solution i could use this for, is it possible to set an Alias with such as:

  • Alias1 = first indexof first pipe, event 1
  • Alias2 = second indexof second pipe, event 1
  • Alias3= first indexof first pipe, event 2
  • Alias4 = second indexof second pipe, event 2

All looking at the devicecustomstring4?

Please note that the Alias's in bold will not conatain the same information. but Alias1 and 3 will.

I tried your example with the two Alias field and tried to set devicecustomestring5 and devicecustomestring6 with the values but they both come out as the same information.

As always your help is very much appreciated.

Regards

Oliver

 

0 Likes
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution
Hi Oliver , as long as you are aggregating and using the set event field action to all of the relevant variables and fields this should work fine
0 Likes
Super Contributor.. vigneshwar Super Contributor..
Super Contributor..

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution

You can try creating an alias field variable for the local variable and then adding this alias field in the aggregation and reference it to event 1 and then use the $ reference to the alias field variable. I hope that works.

st00129092 Frequent Contributor.
Frequent Contributor.

Re: Use Local Variables On Set Event Field Within A Join...

Jump to solution

Thank you vigneshwar ! It could set event field using an alias as suggested by you. Finally it worked, thanks a ton!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.