My colleague and I have been working on our Peakflow SP feeds, to make them more meaningful. After some successful regex manipulation, we now realize that we need custom fields that better describe the data that we are now parsing - for example "Managed_Object"
We've created a number of new fields, but we're confused as to the use of the "Events Field". What we have found is that after creating these new custom types, and making sure they are indexed, we're unable to see them when we click on the "add custom field" cross icon in the "Field Assignment" tab in ASP.
Through some experimentation we have come to the conclusing that if a predefined field has the same "Event Field" type, e.g. "Custom Field - 7 (short), then the corresponding custom field with the same event field type will not be offered, is this the case?
Also, could we get an explanation of the event field option in that when are short or long applied?
We're currently using ESM 9.3.2
Thank you in advance.
There are a finite number of custom fields that you can use in a given rule. Each field may be used for a number of different data types in different rules, but a given rule may only use a given custom field once. In your case, Custom7 is mapped to Source User. If your rule uses the Source User field (very likely), then you will be unable to use Custom7 for a custom type of your own. If you move your custom type to a different (unused) custom field, you will be able to map it as you expect.
"Short" vs. "Long" in this context has to do with how much space is allocated in the DB for the string. Custom fields 1-10 are short string fields. Custom fields 21-27 are long string fields. In this context, if I recall correctly (not sure I do), a short string is up to 100 characters, and a long string is 256.
Thanks Scott, that certainly confirms what we we're seeing.
I guess a usefull thing though would be to see what each fiield event type value is, so that we can create the appropriate value for the custom type that won't impinge on the rule under scrutiny.
Are you actually able to "move" your custom types event field, or is that an expression to mean "edit" it. I only ask as there are certain DB considerations to take into account here, especially as the ESM warns you about editing/deleting custom types where data has already been mapped to it?Message was edited by: pauliet on 05/03/14 11:25:19 CST
Yes, I am suggesting you edit the definition of your custom type, and select a different field for it. Alternately, might choose to create a new one with a similar name. I'm assumiing you have not yet successfully used your custom type under Custom7, so there should not be any issues with orphaning data anywhere.
Unfortunately the UI doesn't do a great job of letting the rule builder know what fields have been used in their rule, and what is open. When I'm buildiing a complicated rule with many fields, I tend to track this offline in a spreadsheet. Alternately, if you edit your rule and select the "+" icon in the mapping tab to add a new field, you will get a list of available data types. These data types are filtered to show only the types that are mapped to fields you have not yet used (as you have seen). As you map more custom fields in your rule, this list will get shorter, and you can use it to identify unused fields.
Currently in 9.5.2 the "Export" function within the Custom Types (Shown below) configuration doesn't seem to be working.
Are Intel Security able to share a spreadsheet version so we can keep track of which fields are in use?