Declaring variables

To declare variables, they must be added to a correlator or correlation rule.

To add a global variable to an existing correlator:

1. In the KUMA web interface, under Resources → Correlators, select the resource set of the relevant correlator.

   The Correlator Installation Wizard opens.

2. Select the Global variables step of the Installation Wizard.
3. click the Add variable button and specify the following parameters:
   • In the Variable window, enter the name of the variable.

     Variable naming requirements

     • Must be unique within the correlator.
     • Must contain 1 to 128 Unicode characters.
     • Must not begin with the character $.
     • Must be written in camelCase or CamelCase.
   • In the Value window, enter the variable function.

     Description of variable functions.

   Multiple variables can be added. Added variables can be edited or deleted by using the icon.

4. Select the Setup validation step of the Installation Wizard and click Save.

A global variable is added to the correlator. It can be queried like an event field by inserting the $ character in front of the variable name. The variable will be used for correlation after restarting the correlator service.

To add a local variable to an existing correlation rule:

1. In the KUMA web interface, under Resources → Correlation rules, select the relevant correlation rule.

   The correlation rule settings window opens. The parameters of a correlation rule can also be opened from the correlator to which it was added by proceeding to the Correlation step of the Installation Wizard.

2. Click the Selectors tab.
3. In the selector, open the Local variables tab, click the Add variable button and specify the following parameters:
   • In the Variable window, enter the name of the variable.

     Variable naming requirements

     • Must be unique within the correlator.
     • Must contain 1 to 128 Unicode characters.
     • Must not begin with the character $.
     • Must be written in camelCase or CamelCase.
   • In the Value window, enter the variable function.

     Description of variable functions.

   Multiple variables can be added. Added variables can be edited or deleted by using the icon.

   For standard correlation rules, repeat this step for each selector in which you want to declare variables.

4. Click Save.

The local variable is added to the correlation rule. It can be queried like an event field by inserting the $ character in front of the variable name. The variable will be used for correlation after restarting the correlator service.

Added variables can be edited or deleted. If the correlation rule queries an undeclared variable (for example, if its name has been changed), an empty string is returned.

If you change the name of a variable, you will need to manually change the name of this variable in all correlation rules where you have used it.