Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Regex-based Custom Property

    You can create a regex-based custom property to match event or flow payloads to a regular expression.

    When you configure a regex-based custom property, the Custom Event Property or Custom Flow Property windows provide parameters. The following table describes some of these parameters.

    Table 1: Custom Properties Window Parameters (regex)

    Parameter

    Description

    Test field

    Specifies the payload that was extracted from the unnormalized event or flow.

    New Property

    The new property name cannot be the name of a normalized property, such as username, Source IP, or Destination IP.

    Note: The following characters cause an error if they are used in creating a new property name:

    Backslash ( \ ), comma (,), period (.), ampersand (&), single quotation mark ( ' ), double quotation mark ( " ), parentheses (()), and double brackets ([]).

    Note: For CEPs and CFPs that include the denoted characters, you need to create a duplicate of the property and save the new property name without using the denoted characters. Then, change all of the dependents of the old property to reference the new property. Finally, delete the old property.

    Optimize parsing for rules, reports, and searches

    Parses and stores the property the first time that the event or flow is received. When you select the check box, the property does not require more parsing for reporting, searching, or rule testing.

    If you clear this check box, the property is parsed each time a report, search, or rule test is applied.

    Log Source

    If multiple log sources are associated with this event, this field specifies the term Multiple and the number of log sources.

    RegEx

    The regular expression that you want to use for extracting the data from the payload. Regular expressions are case-sensitive.

    The following examples show sample regular expressions:

    • Email: (.+@[^\.].*\.[a-z]{2,}$)

    • URL: (http\://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(/\S*)?$)

    • Domain Name: (http[s]?://(.+?)["/?:])

    • Floating Point Number: ([-+]?\d*\.?\d*$)

    • Integer: ([-+]?\d*$)

    • IP address: (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

    Capture groups must be enclosed in parentheses.

    Capture Group

    Capture groups treat multiple characters as a single unit. In a capture group, characters are grouped inside a set of parentheses.

    Enabled

    If you clear the check box, this custom property does not display in search filters or column lists and the property is not parsed from payloads.

    1. Click the Log Activity tab.
    2. If you are viewing the events in streaming mode, click the Pause icon to pause streaming.
    3. Double-click the event that you want to base the custom property on.
    4. Click Extract Property.
    5. In the Property Type Selection pane, select the Regex Based option.
    6. Configure the custom property parameters.
    7. Click Test to test the regular expression against the payload.
    8. Click Save.

    The custom property is displayed as an option in the list of available columns on the search page. To include a custom property in an event or flows list, you must select the custom property from the list of available columns when you create a search.

    Modified: 2017-09-13