A.5 Regular Expression Queries

Regular expression queries allow you to search events that match a pattern. These queries must be enclosed in forward slash (/). For example, to search for an initiator user name that ends with the character "a”, you can specify the search query as follows:

sun:/.*a/

If you need to include special characters in your query, you must escape special characters by preceding them with the backslash (\) character. For example, to search for an initiator user name that ends with the character “$”, you can specify the search query as follows:

sun:/.*\$/

For more information about using special characters, see Special Characters.

If an event field value contains multiple strings and you want to search for certain strings in a particular sequence, you can specify the query by enclosing the strings in quotes. For example, to search for TargetAttributeValue with the strings 513, 10, and 512 in the same sequence, you can specify the query as follows:

rv43:(+"513"+"10"+"512")

NOTE:Regular expression queries utilize significantly more system resources than other kinds of queries because they are unable to leverage the more efficient data structures available in the index. Executing regular expression queries take longer than other kinds of queries and potentially pull system resources from other components of the system. Therefore, use regular expression queries carefully and narrow the breadth of the search as much as possible by using time range and non-regular expression criteria terms.