i'm quite new to arcsight products.
Got a task to generate reports on loggers and there are some requirements, that can not be solved with sql basic LIKE operator, and seems logger's SQL (mysql? postgres?) does not handle neither REGEX nor SIMILAR TO nor RLIKE operator. can you guys give me any suggestion what can i use in queries, i'd prefer regex, no matter which flavour. logger is 5.5 p1
Logger report queries are based on MySQL , you can can use these option if needed.
For more detail see
One important point to highlight REGEXP can slow your query especially if you running against large data set.
I suggest to use LIKE and OR condition before choosing REGEXP.
For example I am interested in running report against dst addresses start with 192.168.64.*
start with Like first
|SELECT events.arc_sourceAddress "Source IP"||,|
|events.arc_destinationAddress "Dest IP" ,|
|FROM||events WHERE events.arc_destinationAddress LIKE '10.10.74.%';|
for REGEX operation you can use
|FROM||events WHERE events.arc_destinationAddress REGEXP '^(10\\.10\\.|64\\.)'|
For RLIKE , you can use the following
SELECT events.arc_sourceAddress ,
FROM events WHERE events.arc_name RLIKE '^accept|^Login';