Event Mapping

The Event Mapping section lists tokens by name, which are mapped to ArcSight event fields, such as event.sourceAddress. The type of the token must match the type of the ArcSight Event field.

In addition to the tokens that are parsed from each input record, you can also configure built-in tokens for specific FlexConnector. Built-in tokens are predefined strings that assign values associated with them to events. For example, if you want to set the event.deviceHostName to the name of the syslog sender, you can set event.deviceHostName=_SYSLOG_SENDER.

For a complete list of built-in tokens available for each type of FlexConnector, see ArcSight Built-in Tokens. For a complete list of the ArcSight event fields, see ArcSight Built-in Event Field Mappings.

See RequestUrl Event Field for information on how to use requestUrl.