AnsweredAssumed Answered

How to call fld30 on investigation tab?

Question asked by Utsav Sejpal on Aug 1, 2017
Latest reply on Aug 3, 2017 by Utsav Sejpal

Like • Show 0 Likes0
Comment • 5

Hello Folks,

We have recently integrated TrendMicro web proxy device (version 6.5-SP2_Build_Linux_1731) with the SA. There's a specific filed which we notice in the row log "tk_size" which provides information about data transfer done in the particular session.

On the SA however, this field gets merged in "msg" section and support asked us to create the custom parser to accommodate the requirement.

While opening the log on ESI tool, I could notice that fld30 has been assigned to tk_size field already (PFA). Is there a way to call this meta "fld30" to investigation tab?

Any help much appreciated!!

Best Regards,

Utsav Sejpal

Dave Glover

Aug 2, 2017 4:01 PM

Correct Answer

You can;t just save the parser to a new name. there are other files that refer to that parser by name.

Just save the parser as the same name to test and make sure your changes provide the results you expect

Dave

See the reply in context

Attachments

fld30.png207.6 KB

No one else had this question

Outcomes

5 Replies

Dave Glover Aug 1, 2017 8:02 AM
Mark Correct
Correct Answer
The 'fldx' variables are used as placeholders in the parsers. There are a couple ways to make this data available.

The first way, as you requested is to enable 'fld30' in the tablemap and then index the variable is one way. However, this will have unintended consequences, that variable is possibly used in many parsers and you will end up seeing more than you expect. This is not the proper way to proceed.

Second, since you have the ESI tool open, you could change the 'fld30' variable to something else that is currently enabled in the system. Once you do this the data will be available throughout the system. This will work as you expect. The downside of this is when a new parser gets posted to live, if you have subscribed to it, it will overwrite your changes back to defaults. This can be prevented by not subscribing to parser updates.

Lastly would be submit a case with support to add in the changes you would like into the OOTB parser.

I would use a combination of 2 and 3.

That way you have the data available now while you wait for the OOTB parser to be changed.

Hope that helps

Dave
Like • Show 1 Like1
Actions
- Utsav Sejpal @ Dave Glover on Aug 1, 2017 9:59 PM
  Mark Correct
  Correct Answer
  Hi Dave Glover
  
  Thanks for your inputs.
  
  I tried to rename the meta "fld30" to "bytes" and saved the parser with a new name. I then uploaded newly created .xml and .ini files to the Log decoder CLI into below location:
  
  /etc/netwitness/ng/envision/etc/devices
  
  I gave full permission to the newly added folder and files (.xml and .ini)
  
  I restarted log decoder service and was trying to locate newly added parser in the general tab of log decoder (SA GUI) but couldn't find the one.
  
  Am I doing it correctly or is there any other way to upload custom parsers to SA?
  
  Best Regards,
  Utsav Sejpal
  Like • Show 0 Likes0
  Actions
  - Dave Glover @ Utsav Sejpal on Aug 2, 2017 4:01 PM
    Unmark Correct
    Correct Answer
    You can;t just save the parser to a new name. there are other files that refer to that parser by name.
    
    Just save the parser as the same name to test and make sure your changes provide the results you expect
    
    Dave
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
    - Utsav Sejpal @ Dave Glover on Aug 3, 2017 7:08 PM
      Mark Correct
      Correct Answer
      Hi Dave Glover,
      
      Thanks for your help. It worked like a charm
      
      Best Regards,
      Utsav Sejpal
      Like • Show 0 Likes0
      Actions
Eric Partington Aug 3, 2017 7:03 PM
Mark Correct
Correct Answer
I would add another options which would be to write a lua parser that specifically looks for the value in fld30 in that msg.id for that device type and moves it to the appropriate metakey for your need. That way you aren't changing the parser, indexing a temp value or any other changes.

There are examples on Link for parsers to move specific values around for log messages that you can use for a template.
Like • Show 1 Like1
Actions

How to call fld30 on investigation tab?

Attachments

Outcomes

Related Content

Recommended Content