Match expressions
BMC Defender Server match expressions can be simple keywords, keywords and wildcards, or can be more complex expressions incorporating and, or, xor, and not conjunctives. Expressions can contain parenthetical nesting to change the order of evaluation.
Case insensitive matches—All matches are case insensitive.
Partial matches to keywords—Matches can be partial.
- Wildcard matches—Any keyword can also contain the wildcards (*) to match zero or more occurrences of a string, or (?) to match a single character, or (^) to match the beginning of the line.
Literal matches—To match a literal string, the string must be enclosed in quotes. Single or double quotes can be used. Also any single keyword or wildcard expression can be quoted, (although this is generally not necessary unless the keyword or wildcard contains space characters).
AND operator —To require various keywords in the message, use the AND operator.
OR operator—To require a selection of keywords in the message, use the OR operator.
XOR operator—To require either of the two keyword, but not both, use the XOR operator.
NOT operator—To negate a keyword, prefix it with the NOT operator.
Parenthetical nesting—More complex expressions can be constructed using parenthesis to determine the order of evaluation.
- Field matches—Parenthetical terms can include matches to specific fields, such as (A in $5) where the keyword A must appear in the fifth word of the message portion of the input line. BMC Defender Server permits both the in and eq operators in field matches, where ($5 eq XXX) requires the fifth word of the message to precisely match XXX, and (ZZZ in $12) requires the keyword ZZZ to appear in the $12 word of the message.
- Parsed field matches—Expressions can contain special parser functions that match a particular field only if the field has a property such as the field is an email address, number, URL, and geographical location.
Match expression examples
Together, these rules permit a wide degree of flexibility in matching input lines. Some examples of these rules are shown as follows:
Hello | Match any occurrence of Hello or hello or HELLO in the input line. |
Not Hello | Match any line that does not contain an occurrence of hello. All matches are case insensitive. |
"Hello World" | Match any occurrence of Hello World in the input line, including spaces. The pattern must be enclosed in balanced single or double quote marks, because the pattern contains a space. |
Hello*World | Matches Hello World, and Hello There World, and any other input line containing Hello, followed by any number of characters, followed by World. Since the keyword contains no spaces, quote marks are optional. |
Hello or World | Matches any line that contains the keyword Hello, or the keyword World, or both, in any order. |
Hello xor World | Matches any line that contains the keyword Hello, or the keyword World, but not both. |
Hello and not World | Matches any line that contains the keyword Hello, except for those lines that also contain the keyword World. |
not (Hello or World) | Matches any line that does not contain the keyword Hello or the keyword World. |
(not Hello) and (not World) | Identical to the previous. Match any line that does not contain the keyword Hello and also does not contain the keyword World. |
(Hello eq $7) | Matches any line where the seventh word of the message, delimited by white space is Hello. |
not (World in $5) | Matches any line where the fifth word of the message, delimited by white space, does not contain the keyword World. |