ArcSight Detailed Chain brutality

So here you are looking at some lovely correlated events in our Active Channel in ArcSight... (names have been sanitized to protect the innocent)




Anyway.. the channel finally loads yet you still thirst for more detail!! and lets not kid ourselves you will not drill into each event manually... they are 1607 of them and you have better things to do (see 9gag.com).

Now being a brutal person... you come up with the following trickery... (taking into account that ArcSight is smart enough to tell you to f#$% off if you ask it to get you a Detailed Chain for too many events..) 

Brutality steps:

1. Select all the EventIDs (drag and from 1st to last eventID) copy and paste to a txt file (eventid.txt).. Keep in mind you will have to do it twice.. ArcSight allows only 1000 lines to be copied at once. In the end you should be getting the following result:
   $ wc -l eventid.txt
   1607 eventid.txt
2.  Create a new active channel (which will contain the results of your madness) with the same start and end date, and most importantly the following filter
   
   
   
3. What you are wondering now is how to make that long list into a comma-separated one-liner.. well here is awk and sed to save the day :)
    
   sed -n '1,350p' eventid.txt | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/'
   
   The bother with this issue is that you will have to run this x amount of times... since ArcSight does not allow a huge string to be placed in the Event ID In field... (maybe for the best... since even 350 might break your box!) 
   
   With that said... 
   
   

Good luck (I bare no responsibility btw.. mine worked like a charm :D)

PS: It is more recommended to run it as a query/report combo than an active channel