IBM Support

QRadar: Regular expression filters starting and ending with square brackets fail



If a 'Payload Matches Regular Expression' filter is created with an expression starting and ending with square brackets, the filter add will fail with a ValidationException stating 'This is not a valid regular expression: Unclosed character class near ...'


QRadar removes the outer brackets from the expression.

Resolving The Problem

To resolve this issue, you need an additional set of square brackets included at the ends of Regular Expression.


needs to be written as


Results: By adding the additional set of square brackets the Regular Expression works.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018