Highlighted
Absent Member.
Absent Member.
120 views

ips aggregation issue

hi all,

i need help.

i have a IPS device in my monitoring scope.

For a particular event i am getting device action.but when i m getting same event with some aggregated event count i found device action is blank.

i dont know y????????????????

moreover i have not configured any aggregation on the rule then y it is aggregating??????????

I m using Arcsight Express 3

Labels (1)
0 Likes
Reply
2 Replies
Highlighted
Contributor.
Contributor.

Re: ips aggregation issue

The problem is your aggregation setting of the connector. Open your connector config in the console, Tab "Default" - Tab "Content". Scroll down to "Field Based Aggregation". Now you have two options. Enable ("Yes") the option "Preserve Common Fields" or (and I think it's the better solution) add "Device Action" to the "Field Names".

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: ips aggregation issue

Hi manuel,

Thanks for replying my quarry.i am going with the second option.

I have done the necessary changes lets see if it works.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.