Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.


Macro expressions

Correlation expressions can become quite complex, and are often reused in different locations. To facilitate the configuration and maintenance of these expressions, BMC Defender Server employs a macro facility.

Macros are defined in the Correlation > Config > Macros screen, and correspond to any expression. The user defines a macro name, the expression, and then uses that macro in the Match-expressions field of the Threads, Actions, or Triggers screen.

Macros have a special naming convention: each macro is in the form @@name@@, where name is the name of the macro. When the user enters a macro name, BMC Defender Serversubstitutes it for the value of the macro, that can be a simple or highly complex expression. You can modify the macro value in the Config > Macros screen to effect an immediate change to the system, promoting easy maintenance of correlation rules.

Warning

Note

Macros cannot be nested, but several macros can be used in a single expression. 

Information
Example

You can define a macro named @@logins@@ and a macro named @@database@@, and then enter the correlation match expression of @@logins@@ and not @@database@@ to match any message that is a login and not a database.

Macros can be entered only in Correlation screens, and cannot be used as filters or overrides in the Messages screen.

Related topic

Correlating-messages-into-groups-and-patterns

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 5.9