Creating Custom E-mails Using Velocity Templates

Hi

I have a rule that triggers when a certain event is found and sends information about the found event to the mail.

I used the ESM Administrator's Guide, section Appendix C: Creating Custom E-mails Using
Velocity Templates

In <ARCSIGHT_HOME>/Manager/config/notifications, I created a test velocity template Test.vm, then modified the Email.vm file as follows according to the instructions:
#if( $introspector.getDisplayValue($event, "deviceProduct") == "CEF Parser" )
#parse("Test.vm")
#else
#parse("Informative.vm")
#end

But this option always causes this Informative.vm template

If you leave the file settings like this #parse("Test.vm"), it works, but the email has no information about the event that triggered the email rule.

What is the error and how to fix it?

Thanks in advance.

Bohdan

  • 0  

    From looking at this, it looks like it should be proper.  Maybe a couple things you can try to troubleshoot this and narrow down the issue:

    In the Informative.vm, put this line in there to see what is coming back for the deviceProduct:

    Device Product:     $introspector.getDisplayValue($event,"deviceProduct")

    You can also try switching the order just to make sure your Test.vm is picked up properly and doesn't have any issues:

    #if( $introspector.getDisplayValue($event, "deviceProduct") == "CEF Parser" )
    #parse("Informative.vm")
    #else
    #parse("Test.vm")
    #end

    Maybe also try using a different deviceProduct name to see if it's able to pickup others.  

  • 0 in reply to   

    Maybe it's an incorrectly described rule? Although it works on the necessary events, the rule itself does not specify that fields from these events should be saved. It seems to me that this is why the deviceProduct field is empty and therefore the condition is not met for the desired template. Is there some way to tell the rule to store and process the trigger event fields?

  • Verified Answer

    +1   in reply to 

    Ah, yes.  In the rule you would have to aggregate on the fields being identical and choose deviceProduct.