Absent Member.. Absent Member..
Absent Member..
1002 views

How to check if an Active List contains a string

I have a need to create a filter that checks if a field contains one of ~100 given strings. I understand that this cannot be done referencing Active Lists directly (there must be a complete match) so I am hoping to solicit suggestions on how I might achieve this. I am fairly new to ArcSight so have no previous experience of using variables in ESM but, looking through the online help, there isn't any obvious variable function that can help. I'd appreciate any pointers!

Best regards,

Shane

Labels (1)
0 Likes
Reply
4 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: How to check if an Active List contains a string

Hi Shane,

To be short. u have GetActiveListValue/other String funtion variables and in the Filter Conditions u have InActiveList Functionality to check the Particular Strings in ActiveList and compare it with the Incoming Events. Refer the Console user guide for specifications.

If u have any further queries on the same. plz do continue updating this thread with ur Requirement more Precisely

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: How to check if an Active List contains a string

Hi,

I think it is not solvable with the current implementation in a general case.

If you know what part of the field content is supposed to be on the list (typical case is domains from FQDN), you can use a variable to cut the field content accordingly and then match.

Joachim

0 Likes
Reply
Highlighted
New Member.

Re: How to check if an Active List contains a string

Hi Shane,

If you are after a particular field you could add a map file to the connector (current\user\agent\map\map.2.properties, for example). The header of the map file could be:

regex.event.name,set.event.deviceCustomNumber1,set.event.deviceCustomString1

.*somestring.*,1,signature: .*somestring.*

...

.*,0,signature: .*

The process of matching stops when there is a match.

HTH

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: How to check if an Active List contains a string

This can be accomplished by using the evaluate_velocity_template variable and some of the velocity template regex functions.

Try this doc:

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.