Question & Answer
Question
I've created a Custom Event Property (CEP), but it's not available in the filters section to select when I create a Routing-/Rule or a Search or a Report.
Cause
Only optimised CEP's show up for Routing-/Rules etc.
Answer
- Open the CEP via Admin> Custom Event Properties
- Edit your newly created CEP.
- This checkbox has to be checked in the CEP:
QRadar 7.3.2/7.3.3: Parse in advance for rules, reports, and searches
QRadar 7.4.0/7.4.1: Enable for use in Rules, Forwarding Profiles and Search Indexing - Click Save at the bottom-right of the window.
The CEP will be available for selection after a few minutes, when the optimising is completed.
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS003594677","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
28 August 2020
UID
ibm16208403