Parse expressions in correlation match expressions - Documentation for BMC Defender SIEM Correlation Server 6.1
Matthew Perez You can use parse expressions in match expressions to create specialized matches for messages. The match comparison operators (such as lt, gt, eq, and ne), can compare a parsed value from a message to a known value. You can use parse functions with a conjunctive operator (such as and, or, or not) to see if a field has a particular characteristic.
The following table presents examples of match expressions and descriptions of the match results:
Match expression | Description |
|---|---|
test and $url($8) | Matches only if the message has the word test, and the eighth word is a URL |
(not test) and $delim(pipe, $3) eq "root" | Matches only if the message does not have the word test, and the third pipe delimited field of the message is equal to root |
$geo( $5) eq US | Matches only if the fifth word of the message is an IP address, and the geo-location of that IP address is the USA |
"admin" in $basename(user name: *) | Matches only if the base name of the word following user name contains the keyword admin |
$ipaddr($8) and ($int($suffix ($8)) lt 100) | Matches only if the eighth word is an IP address, and the numeric suffix of the IP address (such as the port number) is less than 100 For example 10.1.1.10:80, but not 10.1.11.12:110. |
$basename($delim(pipe, 3)) eq "admin" | Matches only if the base name of the third pipe-delimited field is equal to admin |
Related topic
