Open topic with navigation

Regex Helper Tool

The Regex Helper tool enables you to create regular expressions that can be used with the rex pipeline operator to extract fields of interest from an event. This tool not only simplifies the task of creating regular expressions for the rex operator but also makes it efficient and error free. For information about rex, see Search Operator Portion of a Query or Using the Rex Operator.

The tool, which is only available for non-CEF events (unstructured data), parses raw syslog events into fields and displays them in a table with 3 columns: Field Name, Raw Event Value, and Regex Value. You select the fields that you want to include in the rex expression of a query. The selected fields are automatically inserted in a search query as a rex expression.

Using the Regex Helper Tool

  1. Enter a search query that finds events of interest to you. For information about running a search, see Running a Search.
  2. Identify a syslog event that you want to analyze further.
  3. Click the arrow (in the left-most column) for the identified event.
  4. Next to the word RAW, click the icon.
  5. Click the field that you need to include in the query. To select several fields CTRL + Click. To select a group of fields lined up in order, press SHIFT+ Click .
    6. Tip: To select all fields, click Select All located on top of the field name. To deselect the fields, click Clear Selection.

  6. Click Load. Otherwise, click Close to cancel the action.

The rex expressions pertaining to the selected fields are automatically entered in the search query box. In this example we want to extract the IP addresses from events. Therefore, the IPAddress_1 field is selected in the Regex Helper tool.

Once the IP address is selected and you click Load, the rex expression that includes the regular expression for those IP addresses is displayed in the Search text box, as shown in the following example.

_deviceGroup in ["Logger Internal Event Device [Apache URL Access Error Log]"] | rex "(?<IPAddress_1>\d+\.\d+\.\d+\.\d+) \S+ \S+ \[(?<TimeStamp_1>\d+/\S+/\d+:\d+:\d+:\d+ \S+)\.*"

From this point, you can include additional pipeline operators in this query to create charts, identify the top five IP addresses, and so on. In the following example, the above query is modified to identify the top IP addresses.

_deviceGroup in ["Logger Internal Event Device [Apache URL Access Error Log]"] | rex "(?<IPAddress_1>\d+\.\d+\.\d+\.\d+) \S+ \S+ \[(?<TimeStamp_1>\d+/\S+/\d+:\d+:\d+:\d+ \S+)\.*" | top IPAddress_1