Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
669 views

Problem when using "File" as event resource.

Hi experts,

We have got this problem when using Sentinel 7.4.1 to get event from a flat file.

Collector: NetIQ Universal Event
Connector: File Connect

The "file" event source contains several lines of data, say:

Line A Data, xxx, xxx
Line B Data, xxx, xxx

And there comes 2 events in Sentinel, which is normal:

Event: Line A Data, xxx, xxx
Event: Line B Data, xxx, xxx

Later when there is one more line (Line C) of data added to the file, the file becomes to:

Line A Data, xxx, xxx
Line B Data, xxx, xxx
(Newly Added!) Line C Data, xxx, xxx

Now there come 3 new events (instead of only one) which make the total number of events to 5:

Event: Line A Data, xxx, xxx
(New!) Event: Line A Data, xxx, xxx
Event: Line B Data, xxx, xxx
(New!) Event: Line B Data, xxx, xxx
(New!) Event: Line C Data, xxx, xxx

But what we actually expected is that ONLY ONE new event being collected, and which should be correspondent to the newly added line of data in the flat file:

Line A Data, xxx, xxx
Line B Data, xxx, xxx
(New!) Line C Data, xxx, xxx

We have tried setting the connector to "Always start from end of data", but it did not change the result.

So, could someone please guide us how to make the collector/connector only crawls the incremental line of data of the flat text file as new event(s)? Thanks a lot.
0 Likes
1 Reply
Absent Member.
Absent Member.

qliu;2434897 wrote:
So, could someone please guide us how to make the collector/connector only crawls the incremental line of data of the flat text file as new event(s)? Thanks a lot.


Hi,

please check if you use the latest Version or Preview-Version of the File Connector and the NetIQ Universal Collector.

Officially Supported:

File_2011.1r1.cnz.zip
NetIQ_Universal-Event_2011.1r5.clz.zip

Preview and Test:

File_2011.1r2-201603300849-preview.cnz.zip
NetIQ_Universal-Event_2011.1r6-201607190129-preview.clz.zip

Download under: https://www.netiq.com/support/sentinel/plugins/

Normally your PSE support both, the "Officially Supported" and the "Preview and Test" Version. Also it's possible to role back from a newer to an older version.

The way such a file is read, you can configure in the ESM at the Event Source. There are three Options:


  • Resume from saved offset
  • Always start from beginning of data
  • Always start from end of data


In your case, i think the right option is "Resume from save offset". In my case this configuration works.

I hope I could help you! Good luck. Jan
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.