Highlighted
Vice Admiral
Vice Admiral
567 views

Bytes In/Bytes Out Odditiy

Hi Community,

I am currently facing an oddity when mapping event.bytesOut in a flex connector. The oddity is that I have mapped just event.bytesOut. But in ArcSight Console the exact same value is also shown in Bytes In. That obviously is complete nonsense.

As the connector has no means of determining a value for Bytes In I therefore tried to explicetly map event.bytesIn to NULL:

  • Provide no value: event.bytesIn=
  • Bytes In is an Integer field so maybe integerConstant with non-number literal string does the trick: event.bytesIn=__integerConstant(NULL)
  • Maybe literal String enclosed in quotes: event.bytesIn=__integerConstant("NULL")

Neither of the options did work. I still see my Bytes Out in Bytes In too. This is no real big issue for me. It just bothers me and I am wondering what I am doing wrong.

Connector version is 5.2.7, Manager version is 5.2 Console version is 5.2.0.

Thanks in advance,

Nils

Labels (2)
0 Likes
4 Replies
Highlighted
Commander
Commander

Hi Nils,

same issue on a Flex Connector that I have implemented to parse a FTP Server Log.

My goal was to create a top report, with the count of total number of bytes transferred (Up/Download) per User.

I mapped the bytesIn and bytesOut Fields as following:

In the case of a File Upload Event:

event.bytesIn = <parsed value from Log>

In the case of a File Download Event:

event.bytesOut = <parsed value from Log>

The result was the same you have reported in your case above.

That means, bytesOut and bytesOut are always equal

I also tried to set explicitly event.bytesOut to 0 (in the case of an Upload) respectively event.bytesIn to 0 in the case of a Download. But this will also not work.

Did you any solution for that?

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi DiAd,

Our connectors are now running with version 6.0.7.6901.0. The problem of copied values still persists, if one is NULL, but setting to zero does indeed work for both fields.

For the sake of completeness:

  • On a connector that only parses valid bytesOut values, I set bytesIn explicitly to zero:

event.bytesIn=__integerConstant(0)

  • On another connector, where I always have values for bytesIn but only sometimes for bytesOut, I have done this:

event.bytesIn=__safeToInteger(BYTES_READ)

# Dumb ArcSight sets BytesOut to BytesIn, if BytesOut is null. We therefore manually set zero.

event.bytesOut=__oneOfInteger(\

  BYTES_WRITTEN,\

  "0"\

)

Both work. Only I feel a bit bad about setting the "magic value" zero. I'd rather like to strictly distinguish between "not set" i.e. NULL and "set to nothing" i.e. zero. But I can live with the workaround.

0 Likes
Highlighted
Commander
Commander

Hi Günther,

thanks a lot for your prompt and detailed answer.

It is now working with

event.bytesIn=__integerConstant(0)

The following was not working for me

event.bytesIn=__safeToInteger(BYTES_READ)

But it was possible to map the token (e.g. $5) directly.

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi DiAd,

I guess this is, because you provided type Integer for token $5. I could not do that and therefore treated the token as String using __safeToInteger/__oneOfInteger.

Cheers Nils

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.