0

I want to parse some application log, I did a lot of regex that works correctly with notepad++ and the website www.regex101.com . But when I apply them in QRadar they don't match nothing.

For example

12/2/2017 9:53:58,4040007,blablablbla,blablabla --- Abonnement Mobile N° : 0663016666 | balbalbal | 03/06/2006 11:11:22 --- Soldes,10.10.10.10

I did this regex (?<=---)\s+[A-Za-z+ \/\w+0-9._%+-]+(?=(\sN°|\s\sN°|\sID)) to match Abonnement mobile it works correctly , but it doesn't match anything in QRadar.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Bahaeddine Hilali
  • 1
  • 1
  • 6

1 Answers1

1

QRadar does not accept all regex configurations. When you try parsing something you can use extract property field to check. Here is a regex that works fine in my system.

 \-\-\-\s(\w+\s\w+)\s

this regex will work if only "Abonnement Mobile" field is includes letters or digits. If you want to catch "Abonnement Mobile N°" you can use this regex and this will work whatever comes in this field. 

 \-\-\-\s([^\:]+)\:
Draken
  • 3,134
  • 13
  • 34
  • 54
Merve Küçük
  • 41
  • 2
  • thanks for u're replay, i'll check this regex Monday because i don't have access to my system now and i'll tell you if it's work – Bahaeddine Hilali Apr 22 '17 at 12:42
  • hello, this regex work but the same problem with mine it match 'abonnement mobile' with '---' i want only abonnement mobile without any other thing – Bahaeddine Hilali Apr 24 '17 at 07:37
  • i find the solution '---\s+[A(-Za-z+ /\w+0-9._%+-]+(?=(\sN°|\s\sN°|\sID)))' and in the capture groupe we must do $1 and it match only abonnement mobile without --- – Bahaeddine Hilali Apr 24 '17 at 07:53