Rules and expressions

This section deals with a discussion of correlation rules and expressions, presented in the next several sections. The BMC Defender Server system provides a valuable tool that assists in understanding the behavior of these expressions.

1. To use the Expression Eval Tool, access the More hyperlink menu at the far right of the display, by the clicking the Expr Tool hyperlink. (No other method of accessing this screen exists, except through the More menu.) The following screen is displayed.
   

   This tool has two text input windows:

   • The Match Expression window accepts a correlation pattern.
   • The Target String window accepts a target string that is the particular message that you test the match expression against

2. To test the expression, enter a match expression, a target string and then click Submit to test the expression.

   The result of the expression evaluation is displayed at the bottom of the screen. The result is that either the Expression Matches or the Expression Does Not Match.

   At the bottom of the screen, the Expanded Match Expression value is displayed (including any global variable and macro substitution, as discussed further) and also the Normalized Target String (with all letters down cased and multiple blanks squeezed out of the message).

   The Expanded Match Expression is particularly useful in learning the behavior of global variables and macros, as the Expression Eval Tool shows the final actual match expression, with any macro and global variable names replaced by their actual values.

   You can use this tool to quickly test the BMC Defender Server Match Expression capabilities and learn the general behavior of BMC Defender Server correlation functions.