3 Replies Latest reply on Aug 27, 2014 3:24 AM by alexander_h

    Multi-line RegEx for custom parser

    rcavey

      Just throwing this one out there....

       

      Prior to 9.3.2 we created a custom parser for ESET Anti-Virus ( I referenced a few default parsers that used this method) so I went with a two line RegEx parser.

       

      After upgrading to 9.3.2,  I could edit the existing rule but if I tried duplicating from scratch I keep getting a pop-up error like this below when clicking finish.  The RegEx does seem to work with data in the Sample Log window.  ??

       

      pcre[2] not referenced

      failed to validate rule on line1

       

       

      Has anyone seen this and been successful in creating a multi-line parser..  Once you mention "custom parser" to support.... yeah sorry, we don't support custom parsers.

       

      FYI -- I solved this by just creating a one line RegEx parser but I'd was hoping to find out why...

       

       

      Cheers,

        -Bob

       

      Message was edited by: rcavey on 6/10/14 11:56:13 AM CDT