Hello Naresh,

You have two such examples in the document mentioned in the previous thread:

-> Page 21 Velocity Template:

"

#if($deviceHostName.endsWith("CUSTOMERNAME"))/All

Customers/MSSP/CUSTOMERNAME#elseif($deviceHostName.endsWith

("CUSTOMERNAME2"))/All Customers/MSSP/CUSTOMERNAME2#end

"

-> Page 23 Map Files

Have you already tried those?

All the best,

Stefan

Hi Stefan,

Thank you for your reply.

I haven't tried those yet.

first i want to know how its work :

#if($deviceHostName.endsWith("CUSTOMERNAME"))/All

Customers/MSSP/CUSTOMERNAME#elseif($deviceHostName.endsWith

("CUSTOMERNAME2"))/All Customers/MSSP/CUSTOMERNAME2#end

as per the above syntax if the device hostname end with the customer then only customer name will be tagged to that events.

but i want  to segregate customer on the basis of subnet (IP range), then what will be syntax ?

Regards,

Naresh

Hello Naresh,

For the time being I was not able to find a Velocity function dealing with IP Addresses.

However, you could use String functions on Address ArcSight Fields. I agree it is more complex, but it can be done nevertheless. For example I have successfully tested the following in the Customer URI Field:

"

#if($deviceAddress.startsWith("1.0.1."))/All Customers/MSSP/testCustomer1-Customer/testCustomer1#elseif($deviceAddress.startsWith("1.0.2."))/All Customers/MSSP/testCustomer2-Customer/testCustomer2#end

"

What this does is assign all logs coming in from deviceAddress within 1.0.1.0/24 to testCutomer1 and from deviceAddress within 1.0.2.0/24 to testCustomer2.

If you have networks that do not end on a clean /8, /16 or /24 boundary you will need more #if and #elseif conditions, but as I said it is doable.

All the best,

Stefan