IBM QRadar

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

Hi Morgan,

It doesn't work, see the snapshots below.  Format string only accepting the $.  If you can please share the snapshot.

I tried individually as well as combined.

My QRadar Version is 7.5.0 UP6

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

Hello Arunkumar,

Apologies for delay. 
I found another technote that goes through a similar matching sequence. 
https://www.ibm.com/support/pages/qradar-how-change-or-customize-log-source-time

If you look at section 3, this documents how they are combining the 2 capture groups into one. 

Regards,

Hi Morgan,

It doesn't work, see the snapshots below.  Format string only accepting the $.  If you can please share the snapshot.

I tried individually as well as combined.

My QRadar Version is 7.5.0 UP6

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

Hi Morgan,

Thank you for your response.

I hope you read and seen my previous post snapshots. In my case, it is shown as Capture Group, not the Format String.

The concatenation works as stated in the provided link for the Format string only, but not for the Capture Group.

The Format string is available only in the default property, If I use the default property I can't rename it.

I am not sure why QRadar side did not update this point.  

Thanks

Hello Arunkumar,

Apologies for delay. 
I found another technote that goes through a similar matching sequence. 
https://www.ibm.com/support/pages/qradar-how-change-or-customize-log-source-time

If you look at section 3, this documents how they are combining the 2 capture groups into one. 

Regards,

Hi Morgan,

It doesn't work, see the snapshots below.  Format string only accepting the $.  If you can please share the snapshot.

I tried individually as well as combined.

My QRadar Version is 7.5.0 UP6

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

The last example Comghall provided is for the Log Source Time - which is a mandatory field. Using combination of Format strings when creating parsing for mandatory fields (properties) you can concatenate the needed strings. Now, you are creating a "personal" custom property, where capture groups are used, and I am not sure that concatenation in the same way as for mandatory fields is possible. However, if you use "0" (instead of entering/selecting capture group numbers), the content that matches the regex statement you put (no matter the capture groups within a bracket)  would be pulled into your custom property field (at least it was like this in my lab).

Hi Morgan,

Thank you for your response.

I hope you read and seen my previous post snapshots. In my case, it is shown as Capture Group, not the Format String.

The concatenation works as stated in the provided link for the Format string only, but not for the Capture Group.

The Format string is available only in the default property, If I use the default property I can't rename it.

I am not sure why QRadar side did not update this point.  

Thanks

Hello Arunkumar,

Apologies for delay. 
I found another technote that goes through a similar matching sequence. 
https://www.ibm.com/support/pages/qradar-how-change-or-customize-log-source-time

If you look at section 3, this documents how they are combining the 2 capture groups into one. 

Regards,

Hi Morgan,

It doesn't work, see the snapshots below.  Format string only accepting the $.  If you can please share the snapshot.

I tried individually as well as combined.

My QRadar Version is 7.5.0 UP6

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks

Hi Dusan,

If I give '0' it fetches all the strings without ignoring as I defined in the regex.

The last example Comghall provided is for the Log Source Time - which is a mandatory field. Using combination of Format strings when creating parsing for mandatory fields (properties) you can concatenate the needed strings. Now, you are creating a "personal" custom property, where capture groups are used, and I am not sure that concatenation in the same way as for mandatory fields is possible. However, if you use "0" (instead of entering/selecting capture group numbers), the content that matches the regex statement you put (no matter the capture groups within a bracket)  would be pulled into your custom property field (at least it was like this in my lab).

Hi Morgan,

Thank you for your response.

I hope you read and seen my previous post snapshots. In my case, it is shown as Capture Group, not the Format String.

The concatenation works as stated in the provided link for the Format string only, but not for the Capture Group.

The Format string is available only in the default property, If I use the default property I can't rename it.

I am not sure why QRadar side did not update this point.  

Thanks

Hello Arunkumar,

Apologies for delay. 
I found another technote that goes through a similar matching sequence. 
https://www.ibm.com/support/pages/qradar-how-change-or-customize-log-source-time

If you look at section 3, this documents how they are combining the 2 capture groups into one. 

Regards,

Hi Morgan,

It doesn't work, see the snapshots below.  Format string only accepting the $.  If you can please share the snapshot.

I tried individually as well as combined.

My QRadar Version is 7.5.0 UP6

Thanks

Hello,

Yes where you have Capture Group can use the values $1.$2.
What you hvae entered is just the number 1. This will not work. 

It needs to be $1

Regards

Hi,

I tried to combine two URL strings as one using Regex, but it is not reflecting.

As per the link below, I was unable to locate the format string field in the DSM editor.

Referencing capture strings by using format string fields - IBM Documentation

part of Log:

"ClientRequestHost":"xxxxx.yyyyy.com","ClientRequestMethod":"GET","ClientRequestURI":"/mobile/js/common.js"

There is only capture group, no format string.

I have tried two different expression as well in the same property.

Experts, please assist me to complete it.

Thanks