Custom Type Field does not work with Filter in the Correlation Engine
I am trying to create a correlation rule that would trigger if the Risk Factor is over 60. Since the default Parser would not capture the Risk Factor, I created a ASP to capture the information from the log and a new custom field for it.
Firstly, I went to System Properties > Custom Types to create a Integer field, with Index option and named Risk Factor. The name in the pic below is not correct, but the setting is the same. I also check the Index Data Option.
Then create an ASP to capture the Risk Factor. Everything is working fine, the ASP capture the information and display it in the Custom Type Tab. I can run Filter and search for the Risk Factor value. No Issue here.
I create a really basic Correlation Rule that would Trigger if the Risk Factor is greater than 60.
However, when I try to roll it out, this is the error that I received.
I tried a lot of option in the custom field, filter... none is working. However, if I edit the ASP and map the information into an already-existed custome field, the correlation rule working fine. I firgured that the problem is the custom field that I created.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.