Troubleshooting
Problem
New custom QID is not mapping to events with successfully parsed Category and EventID that appear to match the QID.
Symptom
A new custom QID is created to map events with successfully parsed Category and Event ID, but even when the information extracted seems to match the mapping.
The events are going to "Unknown" and not mapping to the new QID.
For example, if an admin wants to map this sample event:
<13>Sep 30 07:13:59 hostname.doman.com EXEC[4182]: Cat: Security2 ID: NewEvent#123 MSG: New security event activity.
Security2 value is extracted for Event Category and NewEvent#123 for Event ID.
In the DSM Editor, in the Event Mapping tab, the values in the QID appear to match the values parsed from the events:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS010363667","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
19 September 2022
UID
ibm16614981