Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..
322 views

Using local variable If statement to populate field

Maybe i'm going about this the wrong way.  I have syslog that is coming in but it isn't parsing well.  When a user has a failed login this event ends with Failure.  Since these aren't parsing well so my categoryOutcome field doesn't populate Failure.  So i'm trying to write a local variable that says if Name endswith Failure. then categoryOutcome = /Failure...but it isn't working like that.  Any help would be appreciated.  Also this is a pre-persistent rule if that helps

Labels (2)
0 Likes
1 Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

You need to use a set event field action on the rule, not use a variable.  Your rule's filter would be:

Name endswith Failure

and the rule action would be

Set event field categoryOutcome = /Failure

You could also use a parser override, categorization override  or map file to correct it at the connector level

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.