IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Regex Data Format

Davit UbilavaFri January 31, 2020 01:27 AM

1. Regex Data Format

Like
Davit Ubilava
Posted Fri January 31, 2020 01:27 AM

Reply
Hello community,

An actual raw log example is:
<142>Jan 30 15:27:47 mx2 bmserver: 1580383667|50538744-5afff7000000136c-c7-5e32bdb3d3ce|VERDICT|<none>|connection_class_1|default|static connection class 1

I need correct Date Format to parse Log Source Time

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------
2. RE: Regex Data Format

Like
Halil BALIM
Posted Mon February 03, 2020 02:31 AM

Reply
Hi,

I am facing the same issue. Wating for the replies.

------------------------------
Halil BALIM
------------------------------

Original Message
3. RE: Regex Data Format

Like
Dusan VIDOVIC
Posted Tue February 04, 2020 03:08 AM

Reply
I think Jonathan addressed something like this in the forums :
https://developer.ibm.com/answers/questions/385125/format-for-overriding-log-source-time-in-dsm-edito/

------------------------------
Dusan VIDOVIC
------------------------------

Original Message
4. RE: Regex Data Format

Like
Ali Rıza Yüksektepe
Posted Fri February 07, 2020 10:08 AM

Reply
Hi,

I think you must use $1 with format string.

------------------------------
Ali Rıza Yüksektepe
------------------------------

Original Message
5. RE: Regex Data Format

Like
Andreas Leibl
Posted Mon March 30, 2020 09:03 AM

Reply
Hi Davit,

The date format string hat a hyphen ("-") between "MMM" and "dd" whereas the actual log message does not. Could that be the reason for the regex matching the timestamp but the log source time not being parsed?

Cheers,

Andreas

------------------------------
Andreas Leibl
------------------------------

Original Message
6. RE: Regex Data Format

Like
COLIN HAY
Posted Tue March 31, 2020 01:32 PM

Reply
Ali and Andreas each have half the answer. The Format String field uses $x notation to refer to capture groups in the Regex field, so you need to use $1, not 1 as your Format String. Just using "1" would set the value to a literal "1".

The Date Format also needs to be adjusted, it should be:

MMM dd HH:mm:ss

no dash/hyphen between "MMM" and "dd".

Cheers
Colin

------------------------------
COLIN HAY
------------------------------

Original Message

IBM QRadar

Regex Data Format

Davit UbilavaFri January 31, 2020 01:27 AM

Halil BALIMMon February 03, 2020 02:31 AM

Dusan VIDOVICTue February 04, 2020 03:08 AM

Ali Rıza YüksektepeFri February 07, 2020 10:08 AM

Andreas LeiblMon March 30, 2020 09:03 AM

COLIN HAYTue March 31, 2020 01:32 PM

1. Regex Data Format

2. RE: Regex Data Format

3. RE: Regex Data Format

4. RE: Regex Data Format

5. RE: Regex Data Format

6. RE: Regex Data Format

Additional
Resources

Office

Quick Links

IBM QRadar

Regex Data Format

Davit UbilavaFri January 31, 2020 01:27 AM

Halil BALIMMon February 03, 2020 02:31 AM

Dusan VIDOVICTue February 04, 2020 03:08 AM

Ali Rıza YüksektepeFri February 07, 2020 10:08 AM

Andreas LeiblMon March 30, 2020 09:03 AM

COLIN HAYTue March 31, 2020 01:32 PM

1. Regex Data Format

2. RE: Regex Data Format

3. RE: Regex Data Format

4. RE: Regex Data Format

5. RE: Regex Data Format

6. RE: Regex Data Format

Related Content

Log Source Time Format

Multi Tenant property with Different Storage Folder

Custom DSM's undocumented protocols.

DSM Editor, regex

IP address in the event is not parseble/searchable

Additional Resources

Office

Quick Links

Additional
Resources