Highlighted
javelin9999 Absent Member.
Absent Member.
419 views

"Add to existing case" not working as expected

Jump to solution

I hope this is an easy question. We are trying to have a rule create a case and then if the rule triggers again (or the threshold is met again), have the new events that came in added to the already existing case. We are creating the case names dynamically using a local variable in the case name (e.g. "AUP Violation - $Bump") with the $Bump variable being the username that triggered the event.

The rule works as expected except instead of on the next threshold adding the events to the existing case, we are getting new cases created with exactly identical names as our first existing case but with a number after them ( Ex. AUP Violation - $Bump(1),AUP Violation - $Bump(2),AUP Violation - $Bump(3), etc. )

We have the "CaseURIIsDynamic: Yes" turned on in the rule action.

I've attached a snapshot of our rule actions

Any one have any ideas why this isn't working? Is it because we are using a local variable in the case name??

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
RomaN Super Contributor.
Super Contributor.

Re: "Add to existing case" not working as expected

Jump to solution

You should replace "Create New Case" action with "Add to exisiting Case". It also creates new case, if it isn`t accessible.

When you already have Case with same name, that you specify in Action, "Create New Case" creates new case with name "<Case Name> (N)", where N - number of case`s copy, while "Add to exisiting case" just adds events.

0 Likes
Reply
3 Replies
javelin9999 Absent Member.
Absent Member.

Re: "Add to existing case" not working as expected

Jump to solution

We were told by ArcSight support that this was a bug and was fixed in the 5.2 version of ESM. We have upgraded to 5.2 but are still seeing the exact same issue.

Anyone have any ideas?

0 Likes
Reply
RomaN Super Contributor.
Super Contributor.

Re: "Add to existing case" not working as expected

Jump to solution

You should replace "Create New Case" action with "Add to exisiting Case". It also creates new case, if it isn`t accessible.

When you already have Case with same name, that you specify in Action, "Create New Case" creates new case with name "<Case Name> (N)", where N - number of case`s copy, while "Add to exisiting case" just adds events.

0 Likes
Reply
javelin9999 Absent Member.
Absent Member.

Re: "Add to existing case" not working as expected

Jump to solution

Thank you, that method seems to have corrected our issue.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.