One thing I learned today is patience when testing an ArcSight rule on old events. This has always sort of been voodoo to me. Maybe everyone knows this already, but I thought I'd share. When testing a new rule using the "Test" button (see image to left) in the Rule definition window there is a behavior difference. It essentially uses an Active Channel and inserts your test rule into that stream of events.
So, it looks like any other active channel with one exception. The channel will speed through messages (examples below) such as showing you "Percentage Complete", telling you it is Retrieving events, and may even show a message saying "No data matches this query". This does not necessarily mean your rule does not work.
Just let the Active Channel sit there for a few minutes and you may get results. Apparently, when ESM says it is done, it is not done.
This has tripped me up many times and I finally figured out it was lying to me today when my ADHD kicked in. I came back to the channel later and had results.
Until next time... Wyman