Simple match expressions

Correlation expressions are the primary building block for the BMC Defender Server engine and the main way of performing exact data reduction and correlation.

As messages are received by the BMC Defender Server system, each message is compared to all the various correlation expressions configured in the Threads, Triggers and Actions screens of the system. When a received message matches a particular expression, an action occurs such as updating the Thread with the message, setting a Trigger state, or executing an Action program. Each message might match multiple correlation expressions configured in assorted locations within the system.

Correlation expressions are simple to get started with, but can also be very specific and lengthy, as discussed here. A correlation expression can consist of a simple keyword, a full word, a keyword wildcard, a quote-delimited string, or a logical conjunction of any these items. Expressions can also reference global variables (that are discussed in the subsequent section).

This section provides a basic overview of simple match expressions consisting of keywords, key phrases, logical operators, and parenthetical nesting. These basic expressions, presented here, are sufficient to satisfy a large number of correlation requirements. More sophisticated expressions, including a description of global variables and comparison operators, are discussed in the subsequent sections.

  • Case insensitivity—Correlation expression matches are always case-insensitive.

  • Simple keywords—Correlation expressions can consist of simple keywords that match any portion of the message. 

    su matches success or super user.

  • Phrases—If the correlation expression contains spaces, it must be quoted.

    super user matches super user and super users.

  • Full word matches—To match a full word instead of a partial match, the match expression must be preceded by and followed with a single space.

    su matches the su user logged in, su login, and login by su. In the expression, the leading space matches a space or the beginning of line; the trailing space matches a space or the end of line.

  • Wildcards—A keyword can contain a (*) wildcard to match zero or more characters and a (?) wildcard to match a single character.

    test*fail matches the test failed and the test did not fail and also testfail.

  • Logical operators—To join various expressions into a larger expression, use the andorxor and not logical operators.

    test and not fail matches any message that contains the keyword test and not the keyword fail, anywhere in the line.

  • Default logical And—If an expression is composed of several sub-expressions without a logical operator, the sub-expressions are joined by an implied and, and each expression must match the message.

    While super user matches the specified phrase, if the double quotes are omitted, then it is equivalent to super and user, and the message must contain both keywords in any order.

  • Parenthetical nesting—You can specify precedence of evaluation using parentheses, that can be deeply nested.

    (test and file) or (system and user) matches any message containing both test and file, or any message containing system and user.

This section provides information about the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*