IBM QRadar

I have parsed all fields in a uDSM custom parser and they appear correctly in the DSM Editor, but for one Event ID only i am seeing Unknown as the Event Type/Category while all others are getting parsed correctly. For this Unknown event in the DSM Editor it is showing as Parsed and Mapped but still it shows Unknown. Kindly can someone help.

Hi Muhammad ,Abraham here.

Iv used the DSM Editor significantly,iv experienced such a thing as well.

The first thing I did is verify that the Regex captures the specific event on the DSM editor(The event is highlighted)

If this is so verify that the event ID U used during the mapping is a valid event ID and event category otherwise it won't parse it.

If the event ID and category is valid delete the mapping and create a new one on the DSM editor.

If this doesnt work open a case with IBM, hope this helps

I did encounter cases when the usual way of creating an exact Event ID / QID reference would not automatically map the event. Not sure if you already did that, but in such cases I the old-fashioned way of opening the event and using the Map Event option helped.

If this is something you already tried, I am curious if you found maybe reference to similar problems in APARs or so (this mostly version specific).