Match expressions
Create BMC Defender Server match expressions with simple keywords, keywords and wildcards, or more complex expressions that use AND, OR, XOR, and NOT conjunctives. Expressions can contain parenthetical nesting to change the order of evaluation.
Match expression types
The following table describes different types of expressions:
Expression type | Description |
|---|---|
Case insensitive matches | All matches are case insensitive. |
Partial matches to keywords | Matches can be partial. |
Wildcard matches | Any keyword can contain the following wildcard:
|
Literal matches | To match a literal string, the string must be enclosed in quotes. Single or double quotes can be used. Also any single keyword or wildcard expression can be quoted, (although this is generally not necessary unless the keyword or wildcard contains space characters). |
AND operator | To require various keywords in the message, use the AND operator. |
OR operator | To require a selection of keywords in the message, use the OR operator. |
XOR operator | To require either of the two keyword, but not both, use the XOR operator. |
NOT operator | To negate a keyword, prefix it with the NOT operator. |
Parenthetical nesting | More complex expressions can be constructed using parentheses to determine the order of evaluation. |
Field matches | Parenthetical terms can include matches to specific fields. BMC Defender Server permits both the in and eq operators in field matches |
Parsed field matches | Expressions can contain special parser functions that match a particular field only if the field has a property such as an email address, number, URL, and geographical location. |
Match expression examples
The match expression types permit a wide degree of flexibility in matching input lines. Some examples of these rules are shown as follows:
Expression | Description |
|---|---|
Hello | Match any occurrence of Hello, hello, or HELLO in the input line |
NOT Hello | Match any line that does not contain an occurrence of hello. All matches are case insensitive |
"Hello World" | Match any occurrence of Hello World in the input line, including spaces The pattern must be enclosed in balanced single or double quote marks because the pattern contains a space. |
Hello*World | Matches Hello World, Hello There World, and any other input line containing Hello, followed by any number of characters, followed by World Because the keyword contains no spaces, quotation marks are optional. |
Hello OR World | Matches any line that contains the keyword Hello, or the keyword World, or both, in any order |
Hello XOR World | Matches any line that contains the keyword Hello, or the keyword World, but not both |
Hello AND NOT World | Matches any line that contains the keyword Hello, except for those lines that also contain the keyword World |
NOT (Hello or World) | Matches any line that does not contain the keyword Hello or the keyword World |
(NOT Hello) AND (NOT World) | Identical to the previous expression, matches any line that does not contain the keyword Hello and also does not contain the keyword World |
(Hello EQ $7) | Matches any line where the seventh word of the message is Hello delimited by white space, |
NOT (World IN $5) | Matches any line where the fifth word of the message does not contain the keyword World delimited by white space, |