Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..
997 views

Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

event Message:  Name : ERRPT: Core file was generated in /home/cores/coreE_xx##xxx#_string.1544326 from the process string .

I'm trying to capture "xx##xxx#_string" and have it in dcs4

Set Event Field Actions

>  deviceCustomString4 = $message.replaceAll(.*('\w{2,3}\d{1,2}\w{2,3}\d{1})_[a-z0-9]+\.','$1)

I have 2 questions

1.  Why isn't this working?

2.  How does ArcSight handle regex?  I'm pretty sure my expression is correct, but I don't understand how to tell ArcSight the function?  Does anyone know of solid information on this?  What is "ArcSight Regex"?  Thanks

-Dylan

Labels (3)
0 Likes
1 Solution

Accepted Solutions
subindbabu Honored Contributor.
Honored Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Step 1 :

Add 'evaluate velocity template' (For example i am giving the name as dcs4) and paste the below statement.

$message.replaceAll('.*('\w{2,3}\d{1,2}\w{2,3}\d{1})_[a-z0-9]+\.','$1')    -- /* Please ensure your regex part */

Step 2:

In Actions Tab , Set Event filed

deviceCustomString4 = $dcs4

Step 3:

In Aggregation Tab , Under Identical column Call your Local variable (dcs4).

Please let me know the result , Post this.

--subin--

--SUBIN--
0 Likes
8 Replies
subindbabu Honored Contributor.
Honored Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Hi Dylan,

Can you try to create a local variable using your regex in a Velocity template and try to map that local variable to your rule event.Hopefully it will work.

--SUBIN--

--SUBIN--
0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Hi Dylan,

Please Let me know , If you need to know how to do this.

--SUBIN--

--SUBIN--
0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

I'm not as familiar with it but i'll give it a shot, do I just copy paste my dcs4 = $message.replaceAll(regularexpression) in a local variable 'evaluate velocity template'?

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Step 1 :

Add 'evaluate velocity template' (For example i am giving the name as dcs4) and paste the below statement.

$message.replaceAll('.*('\w{2,3}\d{1,2}\w{2,3}\d{1})_[a-z0-9]+\.','$1')    -- /* Please ensure your regex part */

Step 2:

In Actions Tab , Set Event filed

deviceCustomString4 = $dcs4

Step 3:

In Aggregation Tab , Under Identical column Call your Local variable (dcs4).

Please let me know the result , Post this.

--subin--

--SUBIN--
0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

amazing, it worked!  Granted my regex is off so it didn't give the intended output but i can fix that.  Thank you!

0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Do you know of other functions besides 'replaceAll'?

0 Likes
maystrovichva Super Contributor.
Super Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Let's see to Subin's example.

1. $message.replaceAll('.*('\w{2,3}\d{1,2}\w{2,3}\d{1})_[a-z0-9]+\.','$1')

$message is a variable that represents Message field. It has String type. It is just Java String. So potentially you can use methods from Java String class. For example:

TypeMethodDescription
Stringconcat(String str)Concatenates the specified string to the end of this string.
intindexOf(String str)

Returns the index within this string of the first occurrence of the

specified substring.

int

lastIndexOf(String str)

Returns the index within this string of the last occurrence of the

specified substring.

intlength()Returns the length of this string.
Stringsubstring(int beginIndex, int endIndex)

Returns a new string that is a substring of this string.

and so on

More methods are here -  String (Java Platform SE 7 ).

2. deviceCustomString4 = $dcs4

You have to ensure matching of types. For example, deviceCustomString4 field has String type, so $dcs4 variable has to have String type too. Then expression $dcs4=$some_field.some_method() means that some_method() has to return String type.

Mappings of field names to its types you can find here -

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: Using Regex in 'Set Event Field Actions' of a Rule

Jump to solution

Nice.

--SUBIN--
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.