This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA - Match on Multiple Occurrences of a Single Meta-Key?

drewjc
Occasional Contributor
Occasional Contributor

‎2018-06-22 03:39 PM

Hi,

 

I want to build an ESA alert that will trigger on any single event where multiple instances of the error meta-key are present in the event metadata.

 

As an example,

 

feed.name    =    "investigation"
analysis.file    =    
error    =    
error    =    
error    =    

 

I've already tried numerous approaches but nothing seems to work. Also, I found it interesting to note that the error meta-key is of type string and not a string array.

 

Any suggestions would be welcomed and appreciated. Thanks in advance.

0 Likes
1 REPLY 1

NickMikhal
Beginner
Beginner

‎2018-06-25 11:24 AM

Hello Drew,

First you change variable type of meta 'error' to string array: 000032359 - Changing ESA Variable Type in RSA Security Analytics 10.5 

Then you use default string array operators with this meta: ALL, ANY, etc: Chapter 9. EPL Reference: Operators

Or RSA custom functions matchLike, matchRegex: Alerting: Sample Advanced EPL Rules

Or you can change type to string with CAST function but it will work properly only if there is 1 metakey for this string array for particular msg.id as it will grab the first registered value: Chapter 10. EPL Reference: Functions 

Some standard java/esper iterators will work in esper online, but will not work in ESA, due to actually string array is implemented as vector type in ESA: https://community.rsa.com/message/871203?commentID=871203#comment-871203

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.