Declaring variables

Expand all | Collapse all

To declare variables, they must be added to a correlator or correlation rule.

To add a global variable to an existing correlator:

1. In the KUMA Console, under Resources → Correlators, select the resource set of the relevant correlator.

   The Correlator Installation Wizard opens.

2. Select the Global variables step of the Installation Wizard.
3. click the Add variable button and specify the following parameters:
   • In the Variable window, enter the name of the variable.

     Variable naming requirements

     • Must be unique within the correlator.
     • Must contain 1 to 128 Unicode characters.
     • Must not begin with the character $.
     • Must be written in camelCase or CamelCase.
   • In the Value window, enter the variable function.

     When entering functions, you can use autocomplete as a list of hints with possible function names, their brief description and usage examples. You can select a function from the list and insert it together with its list of arguments into the input field.

     To display the list of all hints in the field, press Ctrl+Space. Press Enter to select a function from the list. Press Tab to go to the next argument in the list of arguments of the selected function.

     Description of variable functions.

   Multiple variables can be added. Added variables can be edited or deleted by using the icon.

4. Select the Setup validation step of the Installation Wizard and click Save.

A global variable is added to the correlator. It can be queried like an event field by inserting the $ character in front of the variable name. The variable will be used for correlation after restarting the correlator service.

To add a local variable to an existing correlation rule:

1. In the KUMA Console, under Resources → Correlation rules, select the relevant correlation rule.

   The correlation rule settings window opens. The parameters of a correlation rule can also be opened from the correlator to which it was added by proceeding to the Correlation step of the Installation Wizard.

2. Click the Selectors tab.
3. In the selector, open the Local variables tab, click the Add variable button and specify the following parameters:
   • In the Variable window, enter the name of the variable.

     Variable naming requirements

     • Must be unique within the correlator.
     • Must contain 1 to 128 Unicode characters.
     • Must not begin with the character $.
     • Must be written in camelCase or CamelCase.
   • In the Value window, enter the variable function.

     When entering functions, you can use autocomplete as a list of hints with possible function names, their brief description and usage examples. You can select a function from the list and insert it together with its list of arguments into the input field.

     To display the list of all hints in the field, press Ctrl+Space. Press Enter to select a function from the list. Press Tab to go to the next argument in the list of arguments of the selected function.

     Description of variable functions.

   Multiple variables can be added. Added variables can be edited or deleted by using the icon.

   For standard correlation rules, repeat this step for each selector in which you want to declare variables.

4. Click Save.

The local variable is added to the correlation rule. It can be queried like an event field by inserting the $ character in front of the variable name. The variable will be used for correlation after restarting the correlator service.

Added variables can be edited or deleted. If the correlation rule queries an undeclared variable (for example, if its name has been changed), an empty string is returned.

If you change the name of a variable, you will need to manually change the name of this variable in all correlation rules where you have used it.

Page top