Highlighted
Absent Member.
Absent Member.
1360 views

Can a Rule Check the Count of an Item in an Active List?

Jump to solution

Basically I have a rule that populates an ActiveList with an IP and each time it does it takes action A. After it's taken action A say 4 times, and increased the count for that specific IP in the AL by as many, I want it to take action B instead.

0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Couple ways to look. Throw the AL name in the file name field and/or the rule name in the generatorName field. Ultimately you are looking for an AL update event. I don't have my ESM open so can't look.

View solution in original post

0 Likes
Reply
11 Replies
Highlighted
Absent Member.
Absent Member.

On an active list update event the old values are in customString4 or 5 and CS5 or 6 has the new values – at least that’s true if I have remembered that correctly. If you parse that you can pull out a count I would think. The problem is trying to do branching logic in the rule itself (at least that I how I read your post). I can’t think of a good way to do that. Sounds like having 2 separate rules that depend on seeing what the previous count was might be the way to go. Isolating the “count” field, I think, will be the problematic part.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I was anticipating needing two rules but from re-reading my original question it does sound like branching which would be cool if ArcSight could do in the future. I'll try monitoring the the AL update event and report back.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I guess the real piece is do you care if action A continues to happen once you have met the criteria for action B. If all you are really interested in is once a threshold is met that this IP is moved added somewhere else then I think you could get away with a rule that looks for the AL update event associated with action A and not worry about how many times that fires. The trickier part (to me) is if you need/want action A to stop once it has met the threshold depending on what it is you are ultimately trying to do.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

To accomplish that I would have Action B populate another AL and the Rule for Action A check if the IP is already in the AL from Action B before proceeding with Action A.

I created Active Channels for both the AL and Rule. The AL AC turned up empty and the Rule AC had two types of events:

1. Device Event Class ID "rule:100" name "<Rule Name>": Contains the event information to be added to the AL. No information I see about the AL.

2. Device Event Class ID "rule:310" name "AddToList: Success": I don't see anything useful. The Device Custom Fields just have information about the item added nothing about current or previous counts.

Should I be checking for the needed event differently?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Couple ways to look. Throw the AL name in the file name field and/or the rule name in the generatorName field. Ultimately you are looking for an AL update event. I don't have my ESM open so can't look.

View solution in original post

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thanks, found it.

As a reference to anyone trying to do the same thing in the future

The Generator fields were empty.

Event Name: ActiveList entry updated

File Name: The name of the AL, nothing more nothing less.

Device Custom Number1.Count: The field I'm looking for

Device Custom String4.Entry Value: The new values (for my AL I have two fields I'm populating so while the IP stays the same field 2 changes)

Device Custom String5.Original Entry Value: The previous values.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Jason, this is possible. I've done this a lot in the past to write rules that fire in tiers. That does mean that it usually requires more than one rule, but that's not a very big deal because they are usually pretty simple over all.

What you will do is create an active list that contains the fields that you want to see, in addition to at least one 'count' field (not the default count field). The active list will need some type of key field that is unique for whatever the list will be holding. I usually refer to this type of active list as a matrix list.

You are also going to need to use 'GetActiveListValue' variables in the rules.

So what you do with the rules, in general, is you will have at least three tiers of rules:

1. Primer

2. Loop

3. Trigger

The basic idea is that you use the primer to add your first instance of whatever it is to the active list. The key point is that you use the variable to search the active list for your key field, and if the associated 'count' field value is null, the primer rule fires. If the 'count' field is any value other than null it does nothing (meaning you have to add the variable IS NOT NULL to your conditions tab). When the primer fires it adds all the associated data to the AL and uses a set event field action to change the 'count' field to 1.

The loop rule/s are used to count the number of occurances of the rule firing. This rule can only fire if the value in the 'count' field is > 0 AND < X where X is the number you want it to count up to before taking action. The loop rule uses the same process of using the variable to get the current 'count' from the active list and every time there is a match, the loop rule will use an add variable in conjunction with a set event filed action to increment the 'count' field by one.

This will cause the 'count' field to increment over time. Once it reaches X the loop rule will no longer fire on it and that is when the trigger rule will fire taking your specified action as well as removing the entry from the matrix list; thus starting the whole process over again.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

oh, and to be as specific as possible, I also have a time field in the active list to which I write the last end time over and over again. Because the getactivelistvalue variable gives you access to all fields in associated events you use this time field in conjunction with one of the time difference variables to throttle how often the rules will fire. Sometimes the correlation engine seems to fire rules simultaniously and if that was to happen then a single alert might be able to transition a number of tiers at once (which is bad) so you specify in the conditions that the time difference must be at least X

(timediff >= X). That way the rules cannot fire off of the same alert, and it allows you a little more control over how quickly all of your rules conditions must be met.

0 Likes
Reply
Highlighted
New Member.

I like the 3 rule idea, but I've just been doing this with two rules.

First rule looks for my specific conditions and adds the event to an active list

Second rule looks for the updated entry in the active list with that specific active list name and the count that I am looking for. Only thing is the details of what reached this count are all in one custom field broken up by "|" I'm not really sure how to parse that out but maybe someone can help us both with that.

Only reason why you might want to parse is if your sending notifications or alerts and want to include more relevent details.

0 Likes
Reply
Highlighted
Frequent Contributor.. Frequent Contributor..
Frequent Contributor..

Justink,

I know the thread is a bit old, however I'm attempting to implement the three rule implementation you have mentioned but am running into some issues. I'm new to using variables pulled from active lists and having trouble manipulating them into my conditions for the primer and loop. Is there a chance you could elaborate specifically how you created your rules or even offer a package with a templete of how you are performing this?

Thanks!

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I know this answer may be a year late but I thought the answer to your question Grant may help others. This is how I parsed the information out of the Device Custom String 4 field. I thought a picture would better explain what I did to parse the information - please see the attached pdf.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.