IBM QRadar

Hi Guys

I'm trying to figure out , how to build an event mapping based on property but...

The thing is that log source RAW data has one eventID number type but with two diffrent event status . Success /Failure

and im trying to map an event under two diffrent events: when the Event status is Success and another one , when Event Status is Failure

is it possible?

Best Regards

T.

Hi,

hope this helps to answer your question.

https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-event-mapping

Regards,

Ralph

Tarabski, this can probably be done, but it depends on the exact details of the log text that arrives. For more help, you'll need to post a sample of a log message to be parsed.

You need to use a Regex to capture two pieces of the text and combine them with a format string into the Event ID field. See Referencing capture strings by using format string fields - IBM Documentation for details on how this can be done. For example, if your text contained this:

id=12345|foo=67|bar=89|status=Success

You could use a regex and a format string to produce an event ID like this:

12345Success

The regex would be something like:

id=(\d+)(.*?)\|status=([^|]+)

The format string would be:

$1$2

Once that's done, you can use the combined Event ID field for mapping to QIDs.