scott.johnson@m Trusted Contributor.
Trusted Contributor.
835 views

Variable to get the unique Event ID from an Active List

I'm populating an active list from a rule with the unique Event ID(setup as a key field) from ArcSight.  When I create a filter to map the event ID, it is not listed as a choice.  Is there a way to get this value with a local or global variable, or will ArcSight not allow you to map this as a key field?

Thanks in advance for your help.

Tags (2)
0 Likes
4 Replies
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Variable to get the unique Event ID from an Active List

Hi Scott,

When you create a list did you make it as key field?

Cheers

Gayan

Mr
0 Likes
chris.allen3@hp1 Super Contributor.
Super Contributor.

Re: Variable to get the unique Event ID from an Active List

Hey Scott,

  The "InActiveList" condition option was removed by design from the active channel filters.

This is due to the excessive load put on the system to perform list lookups against the database and an array of anomalies with active channel continuously evaluate scenarios.

When a rule performs this task it is checking the engine memory banks where this load is more efficient.

It sounds like you just want to see the rule fire inside of an active channel.

One of the better ways to do this is to create a channel with a filter of (filePath startswith /All Rules/Real-time Rules/My Active Channel) and stick any rule you want to see in that active channel into this folder.

If your rules need to aggregate the file path and maintain that data then you can setup the rule actions to write a unique key word into another field that your channel can filtered on.

If you need to bind a rule to an active channel regardless of the actions, name, or the folder it's under you can filter on the generatorId field for the rule's resourceId (I believe some of the activate framework content uses this method).

If you just want the answer to this question:

Yes.

You'll need to write a getActiveListValue variable in your active channel and your active list will need at least 2 fields; keyed and a none keyed field.

This is not recommended, you may find a few bugs, and may cause performance issues with large lists but does work in simple form.

Cheers!

-Chris

0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Variable to get the unique Event ID from an Active List

Gayan-

Yes, I made the Event ID a key field.  The problem is when I try to create a variable and map it, the Event ID is not listed as an option.  I don't know if this is something done by design, or if I'm doing something wrong.

event ID.PNG

Thanks

Scott

0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Variable to get the unique Event ID from an Active List

Chris-

Thanks for responding.  You are correct, I'm trying to read an active list in an active channel.  I will try your suggestion of writing a unique word into another field.

Thanks

Scott

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.