Skip to Content

Trigger specific gobal variables

Triggers themselves create global variables, that latch message data when they are set. Each trigger has a set of global variables associated with it. These are similar to the global variables listed in Advanced-expressions:

  • $(triggername) global variable—A global variable corresponding to a trigger name, when found in any correlation expression, is replaced with the current state of the trigger, either the keyword set or the keyword clear. For instance, if a trigger exists with the name MyLatch, then the comparison ($mylatch eq set) evaluates to true if the trigger is set.
  • $(triggername).N global variable—A global variable corresponding to a trigger name, followed by a number (N) is replaced by the Nth word in the message that set the particular trigger. For instance, to test to see if the third word of the message that triggered the MyLatch trigger contains the keyword login, you can specify the comparison (login in $mylatch.3)
  • $(triggername).address global variable—A global variable corresponding to a trigger name, appended with . address, when found in a correlation expression, is immediately replaced by the IP address of the device that set the trigger. For instance, to see if the device that set the MyLatch trigger has the same IP address as the current message, you can specify the comparison ($mylatch.address eq $address)
  • $(triggername).facility global variable—A global variable corresponding to a trigger name, appended with .facility, when found in a correlation expression, is immediately replaced by the facility of the message that set the trigger. For instance, to see if the facility of the message that triggered MyLatch was equal to internal, you can specify the comparison ($mylatch.facility eq internal)
  • $(triggername).severity global variable—A global variable corresponding to a trigger name, appended with .severity, when found in a correlation expression, is immediately replaced by the severity of the message that set the trigger. For instance, to see if the severity of the message that triggered MyLatch was not equal to debug, you can specify the comparison ($mylatch.severity ne debug).
  • $(triggername).facnum global variable—A global variable corresponding to a trigger name, appended with .facnum, when found in a correlation expression, is immediately replaced by the facility number of the message that set the trigger. This will be the numeric value of the trigger message facility, ranging from 0=Kernel to 24=Other. (User defined facilities, by their nature have no numeric value, are assigned a number of 24, following the last official facility number of 23=Local7.) For instance, to see if the severity of the message that triggered MyLatch was a localN facility, you can specify the comparison ($mylatch.facnum ge 16).

  • $(triggername).sevnum global variable—A global variable corresponding to a trigger name, appended with .sevnum, when found in a correlation expression, is immediately replaced by the severity number of the message that set the trigger. This will be the numeric value of the trigger message severity, ranging from 0=emergency to 7=debug.

    Warning

    Note

    The syslog protocol defines the highest severity to be zero. For instance, to see if the severity of the message that triggered MyLatch was greater than info, you can specify the comparison ($mylatch.sevnum lt 6).

  • $(triggername).date global variable—A global variable corresponding to a trigger name, appended with .date, when found in a correlation expression, is immediately replaced by the date of the message that set the trigger, in YYYY/MM/DD format. For instance, to see if the date of the message that triggered MyLatch had the same date as the date of the current message, you can specify the comparison ($mylatch.date eq $date).
  • $(triggername).wday global variable—A global variable corresponding to a trigger name, appended with .wday, when found in a correlation expression, is immediately replaced by the weekday abbreviation of the message that set the trigger, either mon, tue, wed, thu, fri, sat, or sun. For instance, to see if the date of the message that triggered MyLatch had the same date as the date of the current message, you can specify the comparison ($mylatch.wday eq $wday).
  • $(triggername).time global variable—A global variable corresponding to a trigger name, appended with .time, when found in a correlation expression, is immediately replaced by the time abbreviation of the message that set the trigger, in 24-hour format ranging from 00:00:00 to 23:59:00. For instance, to see if the date of the message that triggered MyLatch occurred at noon, you can specify the comparison (12:00:?? in $mylatch.time).
Warning

Note

  • Whenever you add a trigger, the above global variables immediately become accessible.
  • Also, as with all global variables, if you reference a trigger with a global variable that no longer exists, the variable name is not substituted in the expression. This implies that, if a trigger is deleted, those threads and actions depending upon the trigger become inoperable.

Although checks are applied, users should be aware to list the dependencies of triggers (preventing triggers from being deleted if they have dependencies) these checks are not applied to the trigger names used in match expressions. Therefore, deleting a trigger that is used only in an expression might make it impossible to ever match the particular expression.

Related topic

Using-correlation-triggers

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.2