Open topic with navigation

Creating a Variable to Get Session List Data

For a given resource, create a variable using the GetSessionData function to get session timestamp data from a session list.

To create a variable to get session list data:

  1. From the Resources tab in the Navigator pane, select the resource that will consume the session list data.

    For a list of eligible resources, see Using the Session List Output. This procedure uses Filters as an example.

  2. Right-click a filter group and select New Filter.

  3. On the Attributes tab, enter a name for the filter and set other attributes as required.

  4. On the Variables tab, click Add and then select either Local Variable or Global Variable (depending on whether you want to share the variable across all resources).

  5. In the Add Variable dialog, provide the following information and click OK:

    In this field...

    ...enter this

    Name

    Enter a name for the variable. The name you enter appears in the <Lists> menu available from the Common Conditions Editor (CCE). Spaces and special characters are allowed.

    Note: If you are creating a local variable, ensure that the name is unique across all resources. Local variables cannot share names.

    Function

    From the Function drop-down list, select List Functions > GetSessionData.

    Arguments

    From the <field name> drop-down list, select the session list that you created previously.

    Preview

    To preview the results, select an asset from the list of assets reporting events to ArcSight and click Calculate.

  6. Perform any necessary session field mapping.

  7. In the Filters tab conditions editor, scroll down to the bottom of the Fields list until you see Variables. Here you see the name of the variable you created earlier in this procedure.

    In the Operator field, select an operator appropriate for the GetSessionData function for the variable you created.

    In the Condition field, enter an appropriate value and then click OK.

    Session lists that allow overlapping sessions take a comma-separated list of values. Session lists that do not allow session overlapping take a single value. This instructs the filter to derive its values from your session list.