Variable from Active List, rule & actions
I have a problem with IT Governance package, ISO 9, use case Physicall Access - rule Successful Badge In.
This rule identifies when an employee badges in and puts the badge id and other information on the Badged In active list.
Actions are defined like this:
On First Event: Set Event Field Actions:
targetUserName = $getEmployeeInformationComputerAccount
targetUserPrivileges = $getEmployeeInformationEmployeeType
Add to Active List:
Field: Target User ID
Field: Target User Name
Field: Target User Privileges
Resource: /All Active Lists/ArcSight Solutions/IT Governance 4.0/Badged In
Under Local Variables there is variable:
getEmployeeInformation get_activelist_value("active list uri...Badges To Accounts....");
Active list name is: Badges To Account and consists of:
Badge Id String
Computer Account String
Employee Type String
Problem is with variables $getEmployeeInformationComputerAccount and $getEmployeeInformationEmployeeType
that don't work. I get literally "$getEmployeeInformationEmployeeType" instead of employee type from active list Badges To Account.
I have tried many things, capital letters, small letters, with dot, without dot...created new variables, new global variable, but
nothing, I get this kind of data on the Badged In list (csv export):
41044,$getEmployeeInformationComputerAccount,$getEmployeeInformationEmployeeType,9 pro 2010 09:57:50 CET,9 pro 2010 10:07:52 CET,2
41213,$getEmployeeInformationComputerAccount,$getEmployeeInformationEmployeeType,9 pro 2010 10:47:50 CET,9 pro 2010 10:47:50 CET,1
41256,$getEmployeeInformationComputerAccount,$getEmployeeInformationEmployeeType,9 pro 2010 10:57:51 CET,9 pro 2010 10:57:51 CET,1
52343,$getEmployeeInformationComputerAccount,$getEmployeeInformationEmployeeType,9 pro 2010 11:17:52 CET,9 pro 2010 11:17:52 CET,1
52351,$ComputerAccount,$EmpType,9 pro 2010 11:37:53 CET,9 pro 2010 11:37:53 CET,1
52352,$brojRacuna,$tipZaposlenika,9 pro 2010 13:17:52 CET,9 pro 2010 13:17:52 CET,1
There is no real data. When I test variable getEmployeeInformation, I get normal output - computer account and employee type.
What version of the ESM are you using? Quick possible solutions are making sure both the variable name and the field that is being set to are aggregated in the rule.
ESM 5.0.6450.0 , IT Gov 4.0 SP1
I have checked, they are agregated, this is summary:
Aggregate if at least 1 matching conditions are found withing 2 minutes and
these event fields are the same
(event1.Target User Name, event1.getEmployeeInformation.Computer Account,
event1.Target User ID, event1.Target User Privileges,
Are there spaces in the columns of the active list where the information is being pulled from? I noticed on your first message you have getEmplyeeInformation.EmployeeType and this last one you have getEmployeeInformation.Employee Type. I almost mentioned something in my first email but decided to be good and restrain myself. There is a bug in 5.0 where if there is a space in the column name that the information won’t be pulled. This should have been fixed with SP1 which is out but I haven’t had a chance to implement it. Put an underscore where the spaces are (eg., getEmployeeInformation.Employee_Type). I have been told that putting the underscore in as a work around will be supported in SP1 and that you won’t have to back that fix out after you apply the patch. I’m skeptical.
Frankly if this is the fix I will probably LMAO given ArcSight broke their own sh…stuff.
Yes, that was the problem - blanks in field name. We have recreated active list with field names without blanks, didn't apply patch, and modified rule.
That solved our problem. Thank you very much.
If you come to Croatia, you have chevapi & beer from me (meat, grill) :-))
Just a note to say thanks Mark, and confirm syntax and patch in 5.0SP1.
1. Yes _ is used to replace any space in an active list field name
2. No . is used in referencing the variables.
Screen image for clarity (LOL sort of after upload and converstion to PNG).
In a bit of irony just yesterday I noticed that for 5.0 patch 1 that while they fixed the underscore bit (you can use it or not) it broke the option to not put a dot delimeter between the variable name and the field name for a getAL variable type. You have to put the dot in. Not sure if that is reflected in sp1 or not. I had to go to patch 1 because they developed a hotfix for us for a different issue and sp1 was already out. Will be included in sp2 from what I understand.
Edit: Took a closer look at Dave's pic and don't see the dot so must have been fixed between patch 1 and sp1.