2017-11-23 11:44 PM
I happened to create a custom-feed for metakey value threat_source. I used this custom feed in a EPL rule. But problem is in some cases threat_source have two values i.e lets say IP address 10.10.1.1 is belongs to threat_source 'rsafirst-watch' as well it belongs threat_source 'custom-feed'. This is causing problem in triggering alert. So if there are two values for a single metakey will RSA ignore one of them ( in this case RSA is not considering threat_source as 'customfeed') ?
2017-11-24 06:05 AM
Hello Jees,
You should convert the Meta threat_source into array type and You should use custom functions for the multi-valued
2017-11-24 07:40 AM
Hi Team,
We are using defaul parser trendmicrodsa (updated from live) but observing multiple values for single meta (alias.host).
Any help to fix this would be appreciated.
Thanks
Utsav Sejpal
2017-12-05 11:34 PM
Hello Roberto,
Very Helpful. Thanks!
2017-12-08 03:28 AM
Hi All,
If i create a custom metakey in 'index-logdecoder-custom.xml' and restart the service, will it cause any issues to the existing metakeys ?