Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
MarkR1 Absent Member.
Absent Member.
652 views

Logger - ability to query requestURL field (FR 51462)

The requestURL field in Logger isn't queryable. While you have limited search capabiliyt on this from the ad-hoc search mechanism you aren't able to incorporate searches that are more robust or cover a very long time frame like you can with a schedule task. This has huge ROI for us.

If you believe this would add value to your ArcSight deployment please contact support to have them add you to the ticket as well as notifying your sales rep.

Updated subject line to reflect Gary's TTP

Labels (1)
0 Likes
Reply
12 Replies
gportnoy1
New Member.

Re: Logger - ability to query requestURL field (FR 55656)

I beat you on this one

TTP 51462 - Request URL not available for reporting/querying in logger.

This just highlighted the value of this new forum for me. I bet there are so many duplicate FR's  in the system, ArcSight can't get an accurate read of how "important" something actually is.

0 Likes
Reply
tliu Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 55656)

Yes, the activity here and folks chiming in will help be another data source in gauging demand. Keep 'em coming!

Trisha
0 Likes
Reply
MarkR1 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 55656)

I agree with the value added by this section. My suggestion is we do the following since yours is older than mine.

You post a thread in this section with that FR

I will update my original post in this thread to reference yours and then request thread be locked.

I will go into my feature request and request support close my ticket and move my name and anyone attached to 55656 to your request number.

0 Likes
Reply
abavosa2 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 55656)

the RequestURL field will be added to the logger schema in an upcoming release (so that it will be searchable and reportable).  we're currently working on this as we speak.  in fact, we are adding a total of 15 new fields to the schema.

One side note is that the RequestURL field will not be 'indexable'.  all other new fields will be indexable.

cheers!

alan

0 Likes
Reply
MarkR1 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 55656)

Searchable but not indexable on a field like requestUrl makes sense. Do you have a target date/quarter for the release?
0 Likes
Reply
Highlighted
dzuperku1 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 55656)

Was this ever implemented?

I still can’t seem to create a custom fieldset that includes requestUrl in logger 5.5.

0 Likes
Reply
gportnoy1
New Member.

Re: Logger - ability to query requestURL field (FR 55656)

I think this is a slightly different issue and it wouldn't surprise me if this was a bug. I also noticed that requestUrl doesn't show up as one of the options you can select for inclusion in a custom field set in 5.5, so if you didn't upgrade from 5.0 with that field in a field set, then you can't have it. I hope this was corrected in 6.0, but don't know. I recommend you reach out to support and open a bug if one doesn't exist.

0 Likes
Reply
AlexMuratov1 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 51462)

Interesting, but I see the field "requestUrl" in the list of offered fields for search (Logger 5.5 SP1).

Another way to search, use combination of the "destinationHostName" (it is indexed) and "requestUrlFileName" like this:

deviceVendor = "Blue Coat" and destinationHostName = "apps.barchart.com" and requestUrlFileName = "/webstart-station/html/deployJava.js"

Such search is not as fast as search by indexed fields, at least ~20,000 events/s is observed.

0 Likes
Reply
nmbabkin1 Absent Member.
Absent Member.

Re: Logger - ability to query requestURL field (FR 51462)

We can search by requestURL field in 6.0, so try to upgrade. It is also much faster than 5.3 and 5.5.23.10.jpg

0 Likes
Reply
rvoloch Respected Contributor.
Respected Contributor.

Re: Logger - ability to query requestURL field (FR 51462)

I was told by support that the requestUrl field is not indexable in logger 6.0.  We configure our URL filter to send syslogs to logger because the reporting engine on our current (and even our previous) URL filter is terrible.   ArcSight logger is much better at collecting, archiving and reporting on this data.  However, if you want to perform a search of all hits to a given URL (Ex/  requestUrl contains "softwaresupport.hp.com") logger is very slow because this field is not indexable.  I've requested a feature request.

0 Likes
Reply
gportnoy1
New Member.

Re: Logger - ability to query requestURL field (FR 51462)

Ryan,

To get around that limitation I set up logger to index requestUrlFileName and requestClientApplication (which also helps a lot in searches we do). Then, since I believe destinationHostName is already indexed and is the same as requestUrlHost you can do searches like destinationHostName = "something.com" and requestUrlFileName = "/something.php". It's been working great for me.

0 Likes
Reply
rvoloch Respected Contributor.
Respected Contributor.

Re: Logger - ability to query requestURL field (FR 51462)

That is a great workaround and would work with most connectors...However a certain content filter I know of needs to step up to fix their CEF integration.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.