SBEC Rule Custom Attribute Uses GUID

We ran across something when creating an SBEC rule which we do not understand. These rules were inherited and we don't have access to the author.

Under the Custom Attributes section there is one CA latestCorrelationID that is assigned the value ${e04e5421-1cd3-1039-7af3-7bc469ff7485.ca.latestCorrelationID}.

We have no idea what the e04e5421-1cd3-1039-7af3-7bc469ff7485 refers to. Any help would be appreciated.

Thanks in advance for all replies and ideas. This one has us stumped.

Steve

Tags:

  • 0  

    Hello,

    Interesting question and I don't know the answer. 

    Since it's a CMA, it could have been added anywhere.  I don't think that "CA LatestCorrelationID" is a value added by OBM - at least I've never noticed it before.  It's difficult to know where the CMA has been added, but I think it's more likely from the OBM server pipeline rather than a policy.  But, I'd start at the event source and work through how the event gets to the SBEC rule.

    Since it's a UUID, I think the CI may be referring to something that longer exists OR if a policy was copied using a content pack without all the dependencies needed being copied.  

    I hope you find this helpful, but I don't think I can offer more at the moment...

    I hope you get a better answer.

  • 0

    Would you be able to upload a screenshot of the rule to understand where you are seeing this.?

  • 0

    Would you be able to upload a screenshot of the rule to understand where you are seeing this.?

  • 0 in reply to 

  • 0

    We do have an event processing customization script that run before CI/ETI resolution to create the custom attribute. 

    // CMAs to feed the SBEC rules
    event.addCustomAttribute("latestCorrelationID", event.id.toString());
    if (event.getApplication() == "NNMi")
    {
    event.addCustomAttribute("latestCorrelationNode", event.nodeHints?.hint);
    event.addCustomAttribute("correlationNode", event.nodeHints?.hint);
    }
    else
    {
    event.addCustomAttribute("latestCorrelationNode", event.relatedCiHint);
    event.addCustomAttribute("correlationNode", event.relatedCiHint);
    }

    This is the only place I can find this CMA being set.

  • 0 in reply to 

    If you goto Edit attributes then to each Custom attributes check if the one with just UUID is walkable(drill down). I suspect other ones are this one may have issues. The starting point of the CAs is the each event filter in your rule (it should at upper portion of your rule that's not visible).

  • 0 in reply to 

    Thanks Misaq. Appreciate the guidance.

    Here's what I get. Yes, the CAs are walkable, but the latestCorrelationID is not shown. Attached are the screenshots from the SBEC rule. No where can I find the latestCorrelationID. I have to be missing something.

  • Verified Answer

    +1 in reply to 

    The script creates the CMAs that enable you to use in the filters lates on. The combination rule is looking for the events with these custom attributes and other patterns based on what(and also ordered or not), the rule kicks in and seems like its using the correlation.

    If you look at the first page with editing, it presents all the summary that you need.(attaching a simple rule example)

    For e04e5421-1cd3-1039-7af3-7bc469ff7485 UUID origins .. may be if you open the filter related to it you may get something in description. Usually its just the Name of the filter.

  • 0 in reply to 

    I agree with your answer. Unfortunately, I could not find the UUID origin in my case. Everything you suggested seems very logical and it should have worked. I hope this can help someone else.

    Thanks Misaq for your help. I definitely learned a lot. And to duncan for taking the time to respond and giving me some comfort that I was not alone!

  • 0 in reply to 

    As its related to inbounds from NNMi, the UUID might be coming from there. You can check for some customization there (custom attribute, enrichment or action)