Bytes In/Bytes Out Odditiy
I am currently facing an oddity when mapping event.bytesOut in a flex connector. The oddity is that I have mapped just event.bytesOut. But in ArcSight Console the exact same value is also shown in Bytes In. That obviously is complete nonsense.
As the connector has no means of determining a value for Bytes In I therefore tried to explicetly map event.bytesIn to NULL:
- Provide no value: event.bytesIn=
- Bytes In is an Integer field so maybe integerConstant with non-number literal string does the trick: event.bytesIn=__integerConstant(NULL)
- Maybe literal String enclosed in quotes: event.bytesIn=__integerConstant("NULL")
Neither of the options did work. I still see my Bytes Out in Bytes In too. This is no real big issue for me. It just bothers me and I am wondering what I am doing wrong.
Connector version is 5.2.7, Manager version is 5.2 Console version is 5.2.0.
Thanks in advance,
same issue on a Flex Connector that I have implemented to parse a FTP Server Log.
My goal was to create a top report, with the count of total number of bytes transferred (Up/Download) per User.
I mapped the bytesIn and bytesOut Fields as following:
In the case of a File Upload Event:
event.bytesIn = <parsed value from Log>
In the case of a File Download Event:
event.bytesOut = <parsed value from Log>
The result was the same you have reported in your case above.
That means, bytesOut and bytesOut are always equal
I also tried to set explicitly event.bytesOut to 0 (in the case of an Upload) respectively event.bytesIn to 0 in the case of a Download. But this will also not work.
Did you any solution for that?
Our connectors are now running with version 220.127.116.1101.0. The problem of copied values still persists, if one is NULL, but setting to zero does indeed work for both fields.
For the sake of completeness:
- On a connector that only parses valid bytesOut values, I set bytesIn explicitly to zero:
- On another connector, where I always have values for bytesIn but only sometimes for bytesOut, I have done this:
# Dumb ArcSight sets BytesOut to BytesIn, if BytesOut is null. We therefore manually set zero.
Both work. Only I feel a bit bad about setting the "magic value" zero. I'd rather like to strictly distinguish between "not set" i.e. NULL and "set to nothing" i.e. zero. But I can live with the workaround.
thanks a lot for your prompt and detailed answer.
It is now working with
The following was not working for me
But it was possible to map the token (e.g. $5) directly.
I guess this is, because you provided type Integer for token $5. I could not do that and therefore treated the token as String using __safeToInteger/__oneOfInteger.