Highlighted
mijacr Regular Contributor.
Regular Contributor.
1206 views

Why is my rule only working in test (Verified Rules)?

Jump to solution

I made a Rule, and when i click Test, i can create an active channel that is very limited (read only fields) and based on a replay. The Correlation events are being shown, but when i create a regular active channel with condition Generator ID: [ruleGeneratorId] there are no results (even when i'm looking at the correlated events with the correct Generator ID in the "Testing" active channel)  Also, this "testing" active channel has a red bolt instead of a yellow one, and shows a sort of filter called Verified Rules: [MyRuleName].

Is the rule inactive for some reason? I disabled and re-enabled the rule to no effect.

Labels (1)
1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution

the rules start triggring once you move it to the real-time rules folder. did you move your rule to real-time folder. 

regarding the regular active channel, you can try with generator URI (which is the location of that resource where it is stored in the system.). if your rules has any active list included condition, could be the reason of your regular channel not working.

and if the fields are the issue, then you can select the fields when creating the test channel whie tesing the rule.

5 Replies
mijacr Regular Contributor.
Regular Contributor.

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution
I just noticed the folder Real-Time rules is actually related with rule deployment. I guess that is a possible reason...
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution

the rules start triggring once you move it to the real-time rules folder. did you move your rule to real-time folder. 

regarding the regular active channel, you can try with generator URI (which is the location of that resource where it is stored in the system.). if your rules has any active list included condition, could be the reason of your regular channel not working.

and if the fields are the issue, then you can select the fields when creating the test channel whie tesing the rule.

mijacr Regular Contributor.
Regular Contributor.

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution
Absolutely right, the rule was in my personal folder, and it seems that test channels are very stiff (no sliding time window) but then i guess ArcSight needs to cache the replay done under the tested rule and does that only once...
0 Likes
Honored Contributor.. varunraaj Honored Contributor..
Honored Contributor..

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution

Hi ,

As stated earlier the rule should be in "Real Time" folder also note that rule works only on real time events only. There are possibility where as the rules conditions had met earlier and not satisfied at present please check that as well.

Regards,

Varun P G

kemccor Regular Contributor.
Regular Contributor.

Re: Why is my rule only working in test (Verified Rules)?

Jump to solution

Also, when you test a rule, the results show up in the rule test channel that ArcSight creates.  To be able to see these events later you must save that channel.  And yes, this channel is permanently set at the time range you set when you tested the rule.

You can't query for these events in a channel (at least in ESM v6.5 through 6.11).  However, you can find them by building a report to look for them.  Report queries look into the database differently than active channels do.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.