Using parse expressions

The parsing functions of the BMC Defender Server are used in a variety of places throughout the system. This section contains a detailed explanation of these Parse Expressions, their usage, their syntax, and general application notes.

Parse Expressions allow the program to extract information from a string or message, such as a particular field value, identified by a simple field number, match expression, or a more complex function.

Example

You can use the Parse Expressions to create specific matches of fields, as well as extract fields for the enumerated display of counts (such as on the Analyze screens of Threads and devices.)

Parse Expressions are used in the following locations in the system.

Catalog Analyze Screen—The operator can interactively specify a Parse Expression to extract data from any catalog. The operator clicks the Analyze link at the top of the Messages > Devices, Messages > Users, Correlation > Threads or other locations, then clicks the Parse link. The operator can then enter a Parse Expression to extract, enumerate, and tabulate data from the set of selected messages.
Reports > Query Screen—The operator can specify a Parse Expression to extract data from any query generated by the Query function. The operator clicks on the Analyze link after running a query and then clicks the Parse link. The operator can then enter a Parse Expression to extract, enumerate, and tabulate data from the query results.
Excel Reports—The operator can specify a Parse Expression to the Reports > Excel facility, clicking the Message Parsing Rules on the Add New and Edit screens. This allows you to populate a spreadsheet with the values parsed from a set of messages.
Pivot Reports—The operator can specify a Parse Expression to the Reports > Pivot screen. Parse expressions provide one way of populating a pivot report with parsed values (the other way being to parse message data by field numbers, selected on the Add New or Edit screen).
Dashboard Gadgets—The dashboard facility can display lists of parsed values using the Parse-Thread-Gadget.exe program that allows the operator to depict an occurrence count of parsed values from a set of messages.
Thread (and other) Match Expressions—The operator can include a parse expression within a match expression, so that a set of messages is matched only if a certain parsed function exists within the message, for instance, if the fifth space-delimited word of the message contains an expected text string.
User Discovery—The User Discovery Match Patterns, accessed through the Messages > Users > Advanced screen, permit the operator to specify parse expressions in order to discover user names within messages.
Filter And Override Screens—The Message > Config > Filters and Messages > Config Overrides screens allow the operator to use parse expressions to match specific keywords.
Note
This should be used cautiously to avoid unnecessary processing expense for these high-speed match patterns.
Match Expression Evaluation Tool—BMC Defender includes a simple Match Expression Evaluation Tool, accessed through the More > Match Expr menu. This tool permits the operator to test expressions against user input strings, including the ability to test parse expressions.
CPars.exe Command-Line Tool—All the functions in this section are supported by the CPars.exe command-line tool, found in the cli-bin folder of BMC Defender installations. This command-line tool allows simple scripting of complex parse functions for report generation, forensics, or test.

This topic provides the following information:

How parsing works

Parsing is applied to a set of target strings on the system. These target strings are just textual data, typically received messages (but possibly other types of textual data). In all cases, the parse function you specify is replaced by the parsed value as the first step in processing or matching messages.

Three distinct types of parsing can occur on the system, documented in detail in the various parts of this section:

Parse By Field Number—You can simply specify the field number that is extracted from the target string, such as $3 being the third word of the target string. The leading $ can generally be omitted, but is always appropriate to include in the parse specification. This type of parsing is useful if the operator is working with highly structured data where the position of a particular word has a standard significance. In practice, this generally works with only a small set of very standardized messages.
Parse By Match Expression—You can specify a match expression, where the asterisk character in the match expression specifies the particular text string segment that is to be extracted.
Employing a parse expression such as User Name: * returns the value that matches the asterisk character.This works with many different loosely structured data formats, especially messages in the standard BMC Defender Server format, as well as CEF, LEEF, and other common information formats. In practice, this technique gets used a lot for all types of structured and unstructured data.
Parse By Function—You can specify a more complex $parse() function that performs special processing of the message. A majority of the information in this section is related to this technique; each parse function supported by the BMC Defender Server system is documented in detail.

In all cases, the parse expression is replaced by the parsed value. Herein, this is called the returned value of the parse expression; this simply means that the parsed value replaces the user furnished parse expression.

Example

When parsing by a field number such as $8, the $8 string is replaced by the eight word of the target string; when parsing by a $parse() function, the function is replaced by the parsed value.

The remaining portion of this section provides a description of each parse expression, its purpose and usage both as a parser and within a correlation rule. You should closely look at the examples of each second and might experiment with the match pattern using any of the facilities described above.

Parse by field number

A parse expression can be a simple numeric value. In this case, the number specifies the particular space-delimited word that is returned by the expression. If the numeric value is bigger than the number of space-delimited words in the expression, no value returns.

Target string	Parse expression	Return value
User admin has logged into the system.	$2	admin
User admin has logged into the system.	2	admin Important In most cases the $ is optional. The value of $N is identical to specifying N.
Status code: 0x01 was unexpectedly detected.	$3	0x01
The server workstation dev001 is down.	$4	dev001
Value A\|B\|C logged.	$2	A\|B\|C Important The second field, delimited by spaces, is returned. (See the $delim function.)
A short string.	$10	No match. No value is returned because the string does not have 10 words.

Parse by match expression

A parse expression can be a match expression, containing a single asterisk * character. The value returned is the portion of the string that matches the asterisk. If the parse expression does not match the target string, then no value is returned.

Target string	Parse expression	Return value
User admin has logged into the system.	user * has	admin
Status code: 0x01 was unexpectedly detected.	code: *	0x01
The server workstation dev001 is not responding.	workstation *	dev001
Device=dev001 User=root has logged in.	user=*	root Note The parse expression does not require a leading space.
Workstation dev002 system startup.	workstation * startup	dev002 Note Only the first space-delimited word that matches the asterisk (*) is returned.
Workstation dev002 shutdown.	workstation * startup	No match. No value is returned because the parse expression does not match the string.

Parse expression examples

You can match any particular field using $N notation as described previously. Other more sophisticated parsing functions exist that permit a particular field to be matched only if the field has some property such as being an integer value, or being a URL. For more information about parse specifications and the multiple parsing functions, see Parse-expressions.

Expression example	Description
$integer(3)	Matches any line where the third word of the line is an integer value, or contains at least one integer number.
$alpha(4)	Matches any line where the fourth word of the line is an alpha value that is not an integer, and not a punctuation mark.For instance, the line is matched if the fourth word of the line is XYZ, but not 123.
$basename(5) eq readme	Matches any line where the fifth word of the line has a basename of readme. For instance, the line is matched if the fifth word of the line is readme.txt or readme.hlp, but is not help.txt.
$suffix(5) eq txt	Matches any line where the fifth word of the line has a suffix of txt. For instance, the line is matched if the fifth word is readme.txt or help.txt but not readme.doc.
BMC Defender Server in $url(5)	Matches any line where the fifth word of the line is a URL beginning with http:// or https:// or ftp://, and the parsed url has BMC Defender Server in its content.
$ipaddr(6)	Matches any line where the sixth word of the line is a standard IPv4 address.
$geo(6) eq us	Matches any line where the sixth word of the line is a standard IPv4 address whose associated country code is US (that is, match a US IP address.)
$email(7)	Matches any line where the seventh word of the line is a standard e-mail address in the form x@y.z.
error in $delim(pipe, 7)	Match any line where the seventh field, delimited by a pipe character, contains the keyword error.