How to use Event Rules Regex Parser
This article is intended to help clarify some of the particulars and limitations regarding the Regex Parser
- Flags cannot be manually set. By default multi-line is not set, single-line is.
- The following features are not currently supported:
- Setting flags
- Example of how to parse a multi-line event (working example vs. non-working examples):
Value: some value
Target Hostname: domain.testing.com
Target IP Address: 10.10.1.1"
Configure Event Rule to parse Description with:
"Hostname: (.*\n)" - Evaluation error (requires full text match)
"(.+?(?<=Hostname: ))(.+?$)(.*)" - Evaluation error (Lookback not supported)
"(?m)(.+Hostname: )(.+?$)(.*)" - Evaluation error (Manual flags not supported)
"(.+Hostname: )(.+?)(\n.*)" - Works
- This will usually result in unwanted/unneeded capture groups. This is expected and you will just need to ignore using those capture groups for the Event Rules transform page.
- Java regex tester: https://www.freeformatter.com/java-regex-tester.html