Using parse expressions

The parsing functions of the BMC Defender Server are used in a variety of places throughout the system. This section contains a detailed explanation of these Parse Expressions, their usage, their syntax, and general application notes.

Parse Expressions allow the program to extract information from a string or message, such as a particular field value, identified by a simple field number, match expression, or a more complex function. 

Example

You can use the Parse Expressions to create specific matches of fields, as well as extract fields for the enumerated display of counts (such as on the Analyze screens of Threads and devices.)

Parse Expressions are used in the following locations in the system.

  • Catalog Analyze Screen—The operator can interactively specify a Parse Expression to extract data from any catalog. The operator clicks the Analyze link at the top of the Messages > Devices, Messages > Users, Correlation > Threads or other locations, then clicks the Parse link. The operator can then enter a Parse Expression to extract, enumerate, and tabulate data from the set of selected messages.
  • Reports > Query Screen—The operator can specify a Parse Expression to extract data from any query generated by the Query function. The operator clicks on the Analyze link after running a query and then clicks the Parse link. The operator can then enter a Parse Expression to extract, enumerate, and tabulate data from the query results.
  • Excel Reports—The operator can specify a Parse Expression to the Reports > Excel facility, clicking the Message Parsing Rules on the Add New and Edit screens. This allows you to populate a spreadsheet with the values parsed from a set of messages.
  • Pivot Reports—The operator can specify a Parse Expression to the Reports > Pivot screen. Parse expressions provide one way of populating a pivot report with parsed values (the other way being to parse message data by field numbers, selected on the Add New or Edit screen).
  • Dashboard Gadgets—The dashboard facility can display lists of parsed values using the Parse-Thread-Gadget.exe program that allows the operator to depict an occurrence count of parsed values from a set of messages.
  • Thread (and other) Match Expressions—The operator can include a parse expression within a match expression, so that a set of messages is matched only if a certain parsed function exists within the message, for instance, if the fifth space-delimited word of the message contains an expected text string.
  • User Discovery—The User Discovery Match Patterns, accessed through the Messages > Users > Advanced screen, permit the operator to specify parse expressions in order to discover user names within messages.

  • Filter And Override Screens—The Message > Config > Filters and Messages > Config Overrides screens allow the operator to use parse expressions to match specific keywords. 

    Note

    This should be used cautiously to avoid unnecessary processing expense for these high-speed match patterns.

  • Match Expression Evaluation Tool—BMC Defender includes a simple Match Expression Evaluation Tool, accessed through the More > Match Expr menu. This tool permits the operator to test expressions against user input strings, including the ability to test parse expressions.
  • CPars.exe Command-Line Tool—All the functions in this section are supported by the CPars.exe command-line tool, found in the cli-bin folder of BMC Defender installations. This command-line tool allows simple scripting of complex parse functions for report generation, forensics, or test.

 This section provides information about the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*