ArcSight Ideas - TEMPORARILY CLOSED
cancel

Feature Request - New Execute Command: 'Clear Active List'

We have several uses cases that require the clearing of an Active List when "X" event occurs.

It would be nice if there was a command I could execute from a rule action to perform this.

7 Comments
Acclaimed Contributor.

I think there should also be a poll for the least favorite thing. It is good to know the positive things but knowing the negative ones makes things improve.

Established Member..

Agree! Interesting feature to have!

Outstanding Contributor..

That's  already possible if you create a package with an empty version of the list. Unzip the .arb and use the xml file as an input for the arcsight archive command:

/opt/arcsight/manager/bin/arcsight archive -f <emptyActiveList.xml> -u <arcsightUser> -m <ESMHostName> -p <password>


Honored Contributor.

This feature request is referring to an 'Action' within a rule.

Outstanding Contributor..

you can run any command within a rule action, so also the arcsight archive command clear the list using an empty version of the list

Honored Contributor.

I'm aware - I'm referring to a built in Action not a workaround bash script.  I think you're missing the point of this feature request.

Respected Contributor.

I'd like to see this Action as well, but I think it needs to have a system event generated per entry as well.  the content I have wanted to see this used for would make use of counts, and/or expiration data where a TTL is not practical.