Applying a regular expression to the pattern criteria

Using regular expressions you can test for matches within unstructured resource information in the selected resource column..

Before you begin

The Resource field is used for grouping events in the Event Viewer. Event matching occurs in the following order:
  1. Exact match
  2. Regular expression
  3. Name similarity

To access the View Related Events and Events Pattern portlets, users must be assigned the ncw_analytics_admin role.

About this task

Exact match only creates groups if all the resource strings in the resource field (for example, in the Node field) are identical. Using regular expressions, you can extract a portion of the resource string from the resource field and group on that portion.

The regular expression is used to match specific information from unstructured data in the selected resource column.
Note: A regular expression can only be specified under the following conditions:
  • One column has been selected for the resource.
  • Multiple columns with OR logic have been selected for the resource. OR logic is the default.
A regular expression cannot be specified when multiple columns with AND logic have been selected for the resource.
You can configure whether multiple resource columns should be combined using AND or OR logic. For more information, see Configuring multiple resource columns.

Procedure

  1. Start the Events Pattern portlet for a group. For more information about starting the portlet, see Creating a pattern from an unallocated group.
  2. Proceed as follows:
    • To apply a new regular expression, click the regular expression icon Regex icon in the Pattern Criteria tab of the Events Pattern portlet.
    • To modify an existing regular expression, click the Confirm icon Confirm icon in the Pattern Criteria tab of the Events Pattern portlet.

    The Regular Expression dialog box is displayed.

  3. Insert or edit the regular expression in the Expression field.
    The following example demonstrates how regular expressions can be used to provide more fine grained related event groups. Assume your Node field contains resources made up of country, a city, and a suffix such as .com, such as the following:
    • Italy-Rome.com
    • Italy-Milan.com
    • UK-London.com
    • UK-Belfast.com
    In this example, use the following regular expression to extract the countries and the cities from the Node field using the regular expression grouping capability.
    ([a-zA-Z].*)-([a-zA-Z].*).com
    Based on the four examples, the following would be extracted:
      Extracted group 1 Extracted group 2
    Italy-Rome.com Italy Rome
    Italy-Milan.com Italy Milan
    UK-London.com UK London
    UK-Belfast.com UK Belffast
    Note that the first group extracted by the regular expression is the one that is used. In the example, two event groups would be created: the first based on the extracted resource string Italy, the second based on the extracted resource string UK.
  4. To change or select the event type to which the regular expression is applied, select an event type from the drop-down list in the Test Data field.
    Note: A regular expression only works on multiple resource fields if the fields are combined using OR logic. If a pattern has two or more event types, and they use more than one resource field, then ensure that OR logic is configured. For more information on how to do this, see Configuring multiple resource columns.
  5. To test the regular expression, select Test. The test results are displayed in the Result field.
    Note: If there are multiple matches for the given regular expression, the matches are displayed in the Result field as a comma-separated list.
  6. To save and apply the regular expression, select Save. The Regular Expression dialog box is closed. A confirm symbol is displayed.