For events, you can use a rule and store the results to an AL . You can also use a query and a "contains" condition but this implies you know the string you are looking for as you can't use regex.  It should also be possible to play with the "Like" condition but I'm not very familiar with it.

For AL, the easiest way is to export the AL and to make a search with a grep or a text editor ( notepad++ supports regex ).  If you want something automated within the console, I suggest that you start a step ahead : If possible, try to collect the string you are looking for when the AL is populated via a rule.  You can also use the Like condition within a query and run a report

HTH

Gaetan

Yes, as for the solution involving AL usage - it's pretty obvious.

Exporting to i.e. notepad++ and using regex it's also an easy one.

Should there be a need to query on data for pattern matching, arcsight simply doesn't provide this functionality.

(Using "matches" for queries on AL should be made possible).

Thanks for reply.

The closest solution for what you're looking for is the "Like" function.  It's not as powerful as the regex but it's better than nothing.  The matches function is only available in rule because of the cost in term of resources.

Actually it seems that "Like" is more powerful than I thought :

http://www.sql-tutorial.net/SQL-LIKE.asp

Nevertheless, I think it should be made available to use regex in queries. Maybe not explicitly like in rules, but there should be some workaround.

In my opinion, it's a big functionality gap.

"Like" statement may be the closes solution, but it's nowhere near as powerfull as regex and in most of the cases it doesn't do the job 😕 (like my ad hoc report that I'm preparing).

Edit: The functionality from the link you provided is not fully implemented in the 'Like' condition in ArcSight. (I've already been there).

Nice link! The last bit at the bottom is very eye opening. Will try to test later today though not sure if I will be able to really circle back to it; will try to at least keep it on my plate.

Belphegor – submit a feature request and then post the number they give you back here. I think many folks would be willing to add their company to the request giving it more weight.

Belphegor wrote:
Nevertheless, I think it should be made available to use regex in queries. Maybe not explicitly like in rules, but there should be some workaround.
In my opinion, it's a big functionality gap.

I can just agree with you.  Even if I understand why they hesitate to provide such a feature ( a wrongly formatted regex can use a lot of resources ), it should be possible to "unlock" this feature via a config file like they did to export trends results to AL in 4.x versions.  Let us know if you open a FR.

Ok. I will post the #FR once I make it.

Edit: Here it is:

ESM-46293 : use the regex functionality (via "Matches" condition) in queries

Good deal. Added our company to the FR.