The meaning of Device Custom Number 1 and Device Custom Number 2 fields. the value of those fields what to do calculate.
I want to know those parameters what should do calculate ?
Hope expert can tell me what to do calculate those parameters .thanks
These are custom fields that are filled in differently depending upon the device. They are filled when the more 'standard' fields of ArcSight are inadequate to fit particular types of data. Take a look at the device custom number & device custom string fields for a few different types of events.
You should be able to understand what a particular Device Custom Number is by referring to the corresponding Device Custom Number Label field.
I understand your means ,however I do not understand the calculation of relationship between them. I try to calculate ,but I did not get the matching values .So I doubt that those parameters settings ,maybe I just want
to know why it is set up ,those parameters where them are from ,what should do query .Hope you can help me
and give me some advice ,thanks .
Pardon me, Rick. I had not seen the screenshots before I replied earlier. The ArcSight Console that I have in front of me today (Express 4.0) does not have those Device Custom Number fields for Target Port Activity by Attacker data monitor. I only have Sorted by ... Maximum alarm frequency.
I found the below in the help for the Moving Average Data Monitor:
Alarm Change Threshold (%)
Specifies the moving average threshold, the percent change from the moving average, that will send a threshold exceeded event to the ArcSight Console. The threshold exceeded event is sent to the Console and can be used to create a rule. For more information on rules, see Creating Rule Actions. Type in a percentage. The default is 50.
Number of Samples
Type the number of Sampling Intervals to use to calculate the moving average, in seconds. The most recently stored Sampling Intervals are used to calculate the moving average. For example, if five Number of Samples are used, the last five Sampling Intervals are used to calculate the moving average.
Number of Visible Groups
Set the number of rows of results to display in the data monitor for each combination of ordering fields specified in the Group By parameter.
Type the time interval used to calculate the moving average, in seconds. For example, if the Sampling Interval is 5 minutes, the moving average is calculated every 5 minutes. The default is 300.
Group Discard Threshold
Specifies the minimum event counts needed to generate a threshold exceeded event. For example, event count could change from 1 to 2, a 100% change that results in a threshold exceeded event. To prevent these types of changes from generating a threshold exceeded event, specify the minimum event counts needed. If you want all events generated regardless of the event count, type 0.
Maximum Alarm Frequency
Thank you for your reply ,I have understood, I try to calculate now ,If have any not understand ,I will ask some help for you .thanks ,hard you for your help .