Highlighted
gykarp Absent Member.
Absent Member.
1066 views

Regex in logger report queries

Jump to solution

Hi everyone,

i'm quite new to arcsight products.

Got a task to generate reports on loggers and there are some requirements, that can not be solved with sql basic LIKE operator, and seems logger's SQL (mysql? postgres?) does not handle neither REGEX nor SIMILAR TO nor RLIKE operator. can you guys give me any suggestion what can i use in queries, i'd prefer regex, no matter which flavour. logger is 5.5 p1

thanks

Labels (2)
0 Likes
1 Solution

Accepted Solutions
gykarp Absent Member.
Absent Member.

Re: Regex in logger report queries

Jump to solution

for anyone's future reference it's REGEXP

0 Likes
2 Replies
gykarp Absent Member.
Absent Member.

Re: Regex in logger report queries

Jump to solution

for anyone's future reference it's REGEXP

0 Likes
jgkhoury Absent Member.
Absent Member.

Re: Regex in logger report queries

Jump to solution

Logger report queries are based on MySQL , you can can use these option if needed.

For more detail see

MySQL :: MySQL 5.1 Reference Manual :: 12.5.2 Regular Expressions

One important point to highlight  REGEXP can  slow your query especially if you running against large data set.

I suggest to use LIKE and OR condition before choosing REGEXP.

for example

For example I am interested in running report against dst addresses  start with 192.168.64.*

start with Like first

SELECT   events.arc_sourceAddress "Source IP"  ,
    events.arc_destinationAddress "Dest IP"   ,   
COUNT(events.arc_name) "COUNT"
FROMevents WHERE events.arc_destinationAddress LIKE '10.10.74.%';

for REGEX operation you can use

SELECT   events.arc_sourceAddress ,
    events.arc_destinationAddress   ,   
COUNT(events.arc_name) "COUNT"
FROMevents WHERE events.arc_destinationAddress REGEXP '^(10\\.10\\.|64\\.)'  

For RLIKE , you can use the following

SELECT   events.arc_sourceAddress ,

        events.arc_name

     FROM    events WHERE events.arc_name RLIKE   '^accept|^Login'; 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.