I am trying to create a correlation rule that would trigger if the Risk Factor is over 60. Since the default Parser would not capture the Risk Factor, I created a ASP to capture the information from the log and a new custom field for it.
Firstly, I went to System Properties > Custom Types to create a Integer field, with Index option and named Risk Factor. The name in the pic below is not correct, but the setting is the same. I also check the Index Data Option.
Then create an ASP to capture the Risk Factor. Everything is working fine, the ASP capture the information and display it in the Custom Type Tab. I can run Filter and search for the Risk Factor value. No Issue here.
I create a really basic Correlation Rule that would Trigger if the Risk Factor is greater than 60.
However, when I try to roll it out, this is the error that I received.
I tried a lot of option in the custom field, filter... none is working. However, if I edit the ASP and map the information into an already-existed custome field, the correlation rule working fine. I firgured that the problem is the custom field that I created.
Anybody have any suggestion?
If you contact Support and let them know you have come across bug 31079 they will get you the latest 9.2.1 HotFix which has a fix for that bug.