How ArcSight FlexConnector JSON Multiple Folder Follower works

Hello.

Please explain to me how the JSON Multiple Folder Follower Connector works

I am interested in real-time file monitoring.

For now, I'm training on an artificially generated file and artificially generated JSON events. When I start the connector, the name of the file changes with the postscript ".processed", and when I add new events to the file, they no longer come to the active channel and I have to restart the connector, and thus new events are added to the past events and some duplication occurs.

Please explain, maybe I don't understand something.

Thanks in advance

Bohdan

  • Verified Answer

    +1  

    File connectors generally have two types of ways to process files.  Realtime or batch mode.  Realtime would read through the file and continue processing the file as new events come in.  Batch mode expects that files are complete and would process files in the same folder depending on the parameters you provide the connector (ie - looking for json files with *.json).  The JSON Multiple Folder Follower Connector appears to only have the ability to do batch processing.  

  • 0 in reply to   

    Hi, 

    What flex connectors do you recommend for monitoring events in real time? Or I'm just not familiar with the principle of generating JSON event files and there is no need for constant monitoring, and JSON Multiple Folder Follower Connector will be enough

    P. S. I tried using Flex Connector File with writing configuration file jsonparser.properties and .sdkrfilereader.properties But just got java.lang.NullPointerException error

  • 0   in reply to 

    Hi   - It looks like you've mentioned in another thread that you've used regex to parse JSON which is definitely an option.  Another thing I'll mention here is that you could also possibly pass the event from regex to a JSON extra processor in which you could use the JSON parser instead.  That could be a way to parse JSON in real time with the JSON parser.