• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 4 replies
  • Subscribers 94 subscribers
  • Views 2674 views
  • Users 0 members are here
Options
Related

Log Current Value with DialogWatchProperty

dan
over 4 years ago

Using v8.1.1. I've got Splunk that wants to consume the historical data of One Identity. I've got a bunch of watched properties and they're logging into DialogWatchProperty and DialogWatchOperation but my problem is that the current value of an attribute isn't stored in DialogWatchProperty when a change is made, only the old value. This means I have to do something custom for the Splunk agent to get the data it wants. Any ideas about approach to doing this?

  • 0 over 4 years ago

    I noticed there's a field contentfull in DialogWatchProperty. Is it possible that some setting can have this field populated with the full current value of the object being updated?

  • 0 over 4 years ago

    I see in the reports that use historical data, there is a reference to a Query Module called Historical Assignments. Is this something I may be utilise to create a view for consumption by Splunk?

  • +1 over 4 years ago in reply to dan

    Hi Dan,

    Historical assignments will give you data about assignments. If you are looking at simple object changes there is another query module for that. See the report VI_Person_Overview_With_History for an example.

    DialogWatchProperty does not store the current value of a field as that would be very inefficient.

    If you can use the object layer, I would recommend using the IHistorySource interface something like this:

    ISession session = <database session>
    IDbObjectKey key = <key of your object>
    var changes = session.Resolve<VI.DB.History.IHistorySource>().GetChanges(key, DateTime.MinValue, VI.DB.History.HistoryMode.Default).Result;

  • 0 over 4 years ago

    I ended up writing a mammoth query that has CASE WHEN THEN statements for each possible table and column that appears in the DialogWatch tables and joining to every table that is logged and feeding all that into one attribute.