Absent Member.
Absent Member.
370 views

(TTP 59893) 4.5 sp1 Query Viewer - normal investigation menu option missing

When you create a query viewer where the source is a Trend or Active List you don't get the normal investigate>create active channel with property X in the investigate menu option. When your query viewer source isn't one of these items you do. The ability to quickly open and drill down into cascading active channels is an incredibly powerful tool. Please, please let us be able to do this from these sorts of query viewers.
Labels (2)
0 Likes
4 Replies
Absent Member.
Absent Member.

You should be able to drill down into an active channel from a query viewer and get the normal "create channel..." or "add condition..." menu items, but it has to be done from an event-based field.  The QV UI is more sensitive to where you initiate the right click investigate from.  If you do it from the row AND column of the event-based field, you should get the drilldown to an AC.  Otherwise, IIRC, you won't.

Let me know if this solves your issue.

0 Likes
Absent Member.
Absent Member.

David - your answer is helpful in the sense that it sheds some light on expected behavior. It doesn't "solve" my issue though because I would like to have that behavior exist on a field based AL. When we had our onsight training the impression we were all left with was using field based ALs worked just as well if not better then event based and you had the added bonus of being able to name the fields whatever you wanted. The problem in my mind is ArcSight is very much like a multi-tiered, cantilevered mouse trap. If you change something at a base content level like an Active List you end up "breaking" a lot of things you then have to go back and remap/rebuild/etc.
0 Likes
Absent Member.
Absent Member.

Field based Active Lists are very flexible in that you name / populate the fields totally as you wish.  However, there is no in-built mechanism to drill down to an event-based active channel, because there is no way to specify that an AL field named "External Intruder Addresses" is supposed to map to "sourceAddress".  So the QV isn't able to specify a drilldown to an AC.  This is something we might be able to add in a later release.  If you *happen* to name a field in the QV / AL with a name that corresponds to an event field name, it would probably allow you to do the additional investigation options.

For now, you could construct an event-based QV with the event-based query you want, and then you should be able to drilldown / map from the parent AL-based QV to the event-based QV.  And then, once you get to the event-based QV drilldown, you could actually go from there to a channel.  Going through an event-based QV might also let you do other interesting things like baselines, aggregation, charts, etc.

0 Likes
Absent Member.
Absent Member.

I know on a development front there is an inverse relationship between how easy things appear on the front end relative to the complexity on the back end it takes to actually implement (usually). However, since you already define the data type fields when you set up the field based list isn't it "just" a case of mapping corresponding data type fields and passing the cell contents to a variable? That way you don't try to pass an IP address to a string field or something like that.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.