4 Replies Latest reply on Aug 15, 2016 1:51 AM by alv

    Correlation rules and regex

    ksudki

      Dear community,

       

      We are running version 9.5.2 20160128 on our environnement and it seems that it is not possible to create working correlation rules with regex containing negative lookahead.

       

      Does anyone got them work correctly?

       

      Thank you in advance

        • 1. Re: Correlation rules and regex
          minsktractorworks

          Can you supply an example of what you are trying to match?

          • 2. Re: Re: Correlation rules and regex
            ksudki

            Sure

             

            We want to create a rule to trigger whenever there is other files than images in the Filename field for email events, for example:

             

            FilenameShould match ?
            test.pngno
            test.png.docyes
            test.docyes
            testyes
            test.png, test.doc, test.pngyes
            test.doc.pngno
            test.png, test.png, test.docyes

             

            The only way we thought we could achieve this is by using regex (probably with negative lookahead).

             

            Any ideas are welcome

            • 3. Re: Correlation rules and regex
              problematiq

              This may be a backwards way of doing it but you could find the parsing rule(s) that do the matching and disable them and copy the regex and create a new rule. Then tweak the Reg Ex to capture the field that is the file extension, create a custom type, Assign the field value, Then create your correlation rule based on the custom type.

              • 4. Re: Correlation rules and regex
                alv

                Hi,

                 

                I have the same issue.

                 

                Sample Negative Look-up (inputted in the filter view in ESM - right pane in ESM):          Regex (^(.(?!Station))*$)

                This negative lookup will look for an event (specific signature ID), but excludes a filename with "Station" string on it.

                During the testing, the Regex (negative Lookup) is working on the ESM filter view but when you apply it in the custom rule, there is parse error during the roll-out

                 

                Im hoping anyone have a solution to this as the support will only refer you to professional services.

                 

                Thanks in advance.