Hi there,

The docs for Windows Event (WMI) Connector 1011.1r1 talks about using
regex methods to filter out certain Windows Event Codes. Like below:
If you want to filter events with EventIdentifier 515, 565, and 567:
Value = .*2:EI3515|565|567).*
If you want to filter events with EventIdentifier 515, 7036, and 567:
Value = .*2:EI(3|4)515|7036|567).*
Similarly, for EventCode, replace EI with EC in the value.

I have this syntax working for filtering out all occurrences for a
certain event code for the s_raw_message2 field and Case Insensitive +
ignore line breaks.

Now I want to check for a 565 event & for any Source User Name ending
with $ so as to filter these out. Has anyone got a "less than basic"
regex working as a filter?

My regex constructs that do not work (yet were validated OK by
RegexBudy) were:
..*2:ec3:565.*Primary User Name:<\\\\t>[^<$]+\$<.*

Explanation:
Match any single character that is not a line break character .*
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) *
Match the characters 2:ec3:565 literally 2:ec3:565
Match any single character that is not a line break character .*
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) *
Match the characters Primary User Name:< literally Primary User
Name:<
Match the character \ literally \\
Match the character \ literally \\
Match the characters t> literally t>
Match a single character NOT present in the list <$ [^<$]+
Between one and unlimited times, as many times as possible, giving
back as needed (greedy) +
Match the character $ literally \$
Match the character < literally <
Match any single character that is not a line break character .*
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) *


and I tried a Positive Look Ahead method:
^(?=.*?2:ec3:565)(?=.*?Primary User Name:<\\\\t>[^$<]*\$<).*

Explanation of Regex:
Assert position at the beginning of a line (at beginning of the string
or after a line break character) ^
Assert that the regex below can be matched, starting at this position
(positive lookahead) (?=.*?2:ec3:565)
Match any single character that is not a line break character .*?
Between zero and unlimited times, as few times as possible,
expanding as needed (lazy) *?
Match the characters 2:ec3:565 literally 2:ec3:565
Assert that the regex below can be matched, starting at this position
(positive lookahead) (?=.*?Primary User Name:<\\\\t>[^$<]*\$<)
Match any single character that is not a line break character .*?
Between zero and unlimited times, as few times as possible,
expanding as needed (lazy) *?
Match the characters Primary User Name:< literally Primary User
Name:<
Match the character \ literally \\
Match the character \ literally \\
Match the characters t> literally t>
Match a single character NOT present in the list $< [^$<]*
Between zero and unlimited times, as many times as possible,
giving back as needed (greedy) *
Match the character $ literally \$
Match the character < literally <
Match any single character that is not a line break character .*
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) *

** I really like RegexBudy for testing this stuff out.

cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46325