Regular Expressions 101

Community Patterns

SIEM Extended Attribute Regex

1

Regular Expression
PCRE (PHP <7.3)

/
^.*?(?=\=)=\s"(?P<Severity>.*?(?=\"))".*?(?=Gauge32).*?(?=:):\s(?P<EventCount>\d+).*?(?=AlarmOriginEntity).*?(?=\:):\s+"(?P<OriginEntity>.*?(?=\"))".*?(?=\")"(?P<OriginHost>.*?(?=\"))".*?(?=\")"(?P<ImpactedHost>.*?(?=\"))".*?(?=\")"(?P<ImpactedApp>.*?(?=\"))".*?(?=\")"(?P<VendorMessageID>.*?(?=\"))".*?(?=\")"(?P<MPERuleName>.*?(?=\"))".*?(?=\")"(?P<EventDirection>.*?(?=\"))".*?(?=\")"(?P<OriginZone>.*?(?=\"))".*?(?=\")"(?P<ImpactedZone>.*?(?=\"))".*?(?=\")"(?P<ImpactedEntity>.*?(?=\"))".*?(?=\")"(?P<OriginLocation>.*?(?=\"))".*?(?=\")"(?P<ImpactedLocation>.*?(?=\"))".*?(?=\")"(?P<OriginNetwork>.*?(?=\"))".*?(?=\")"(?P<ImpactedNetwork>.*?(?=\"))".*?(?=\")"(?P<OriginPort>.*?(?=\"))".*?(?=\")"(?P<ImpactedPort>.*?(?=\"))".*?(?=\")"(?P<AlarmProtocol>.*?(?=\"))".*?(?=\")"(?P<OriginUser>.*?(?=\"))".*?(?=\")"(?P<ImpactedUser>.*?(?=\"))".*?(?=\")"(?P<AlarmObject>.*?(?=\"))".*?(?=\")"(?P<AlarmSender>.*?(?=\"))".*?(?=\")"(?P<AlarmRecipient>.*?(?=\"))".*?(?=\")"(?P<AlarmSubject>.*?(?=\"))".*?(?=\")"(?P<AlarmGroup>.*?(?=\"))".*?(?=\")"(?P<AlarmDomain>.*?(?=\"))".*?(?=\")"(?P<AlarmSession>.*?(?=\"))".*?(?=\")"(?P<AlarmProcessName>.*?(?=\"))".*?(?=\")"(?P<AlarmURL>.*?(?=\"))".*?(?=\")"(?P<BytesIn>.*?(?=\"))".*?(?=\")"(?P<BytesOut>.*?(?=\"))".*?(?=\")"(?P<ItemsIn>.*?(?=\"))".*?(?=\")"(?P<ItemsOut>.*?(?=\"))".*?(?=\")"(?P<Duration>.*?(?=\"))".*?(?=\")"(?P<Amount>.*?(?=\"))".*?(?=\")"(?P<Quantity>.*?(?=\"))".*?(?=\")"(?P<Rate>.*?(?=\"))".*?(?=\")"(?P<Size>.*?(?=\"))".*?(?=v\=)(?P<Message>.*?(?=\<\/aie\>)).*?(?=\=)=\s"(?P<KBWebRefernce>.*?(?=\"))".*?(?=\")"(?P<OriginMACAddress>.*?(?=\"))".*?(?=\")"(?P<ImpactedMACAddress>.*?(?=\"))".*?(?=\")"(?P<OriginNATIPAddress>.*?(?=\"))".*?(?=\")"(?P<ImpactedNATIPAddress>.*?(?=\"))".*?(?=\")"(?P<OriginInterface>.*?(?=\"))".*?(?=\")"(?P<ImpactedInterface>.*?(?=\"))".*?(?=\")"(?P<AlarmPID>.*?(?=\"))".*?(?=\")"(?P<AlarmVersion>.*?(?=\"))".*?(?=\")"(?P<AlarmCommand>.*?(?=\"))".*?(?=\")"(?P<AlarmObjectName>.*?(?=\"))".*?(?=\")"(?P<OriginNATPORT>.*?(?=\"))".*?(?=\")"(?P<ImpactedNATPort>.*?(?=\"))"
/

Description

no description available

Submitted by Stephen Kim - 8 years ago