3 Replies Latest reply on Feb 12, 2018 3:52 AM by Shai Ovadia

    ITDA 2.7 : Sending contents of a matched line from saved search to Truesight

    Sameer Salve

      Is there a way of  sending contents of a matched line from a saved search to TrueSight event via notification ?

        • 1. Re: ITDA 2.7 : Sending contents of a matched line from saved search to Truesight
          Scott Bleasdell

          Sameer Salve, the short answer to your question is "yes".  The long answer is that it will require you to use a script that uses the ITDA Search REST API to execute the search, make a decision about whether an event should be created in TSIM, and then create the event and submit the matched line(s) in a slot in the event.

           

          This is something we have thought about doing natively in a Notification in ITDA, but it hasn't been a high enough priority compared to a lot of other improvements we have been working on.  With your additional request for this, I am going to put this towards the top of the list to consider for our release planned for the Fall 2018.

           

          Here's what I am thinking we could enable:

          • Predefine a slot of log data contents
          • Provide an option to fill the log data contents slot with N number of messages from the search results (where N is the maximum, and there would be an upper limit to the number of messages, or perhaps a total size limit, that would be enforced to ensure the event can handle the additional data and it can be displayed in the Presentation Server
          • Configurable on a per Notification basis

           

          Does this sound like it would meet your needs?  Is there anything I am missing?

           

          I do have a script - it's written in Powershell - that would need some modification to work for you in the meantime.  If you are interested in that script, let me know here and I'll try to get it to you (after some cleanup) as soon as I can.

           

          Regards,

          Scott

          1 of 1 people found this helpful
          • 2. Re: ITDA 2.7 : Sending contents of a matched line from saved search to Truesight
            Sameer Salve

            Thanks a lot for your response. This sounds perfect.

            The script you mentioned will be very useful until this has been implemented in the product. Please do share the same once its cleaned up. Currently I have quite a few requirements where I need to send matched line from ITDA to events.

             

            Thanks,

            Sameer

            • 3. Re: ITDA 2.7 : Sending contents of a matched line from saved search to Truesight
              Shai Ovadia

              Hi Scott

              I absolutely think that this feature is one of top missing features in ITDA and would be more than glad to vote for it -in order to get it into the coming 11.3 release

               

              In the meanwhile - Any chance to get the script you mentioned ?  It would be very helpful in our projects.

               

              Many thanks

              Shai