Extending patterns

Using regular expressions and name similarity, you can enable the discovery of a pattern instance on more than one resource.

By default, live events are processed for inclusion in event patterns by means of Exact matching of the resource or resources associated with that event. This means that the resource (or resources) associated with that event are checked against the resource values in the pattern. For each resource column, there must be an exact match between the resource column value in the live event and the expected resource value in the pattern.

You can extend pattern matching functionality using the following methods to enable the discovery of a pattern instance on more than one resource:
  • Regular expressions
  • Name similarity

Regular expressions

Using regular expressions you can define a regular expression to apply to the contents of the resource field or fields during pattern matching. Resource names that match the regular expressions are candidates to be included in a single pattern. You can optionally specify a regular expression when you create a pattern.

Name similarity

Name similarity uses a string comparison algorithm to determine whether the resource names contained in two resource fields are similar. Name similarity is enabled by default, and is applied at two points in the process:
The name similarity settings force the lead character to be the same and the main body of the resource name to be 90% similar. For more information on how to configure name similarity settings, see Configuring name similarity.
Note: There is a notable exception to this. If the Node column (or whichever columns are used to store resource values) holds IP addresses then the IP address must match down to the subnet value. In an IPv4 environment, this means the first, second and third octets must be the same. For example, the following two IP addresses will match for the purposes of name similarity:
  • 123.456.789.10
  • 123.456.789.11
However, the following two IP addresses will not match.
  • 123.456.789.10
  • 123.456.788.11

Using the methods together

Name similarity and regular expression functionality are not mutually exclusive. If name similarity is configured, you can also define regular expressions. Pattern matching is processed in the following order:
  1. Exact match
  2. Regular expression
  3. Name similarity