Regular expression pattern matching examples

The following examples illustrate general uses of regular expression pattern matching.

Regex examples

snmp-server community public

Finds any line that includes the text snmp-server community public. There can be text before and/or after the string on the same line.

service tcp-keepalives-in.*\n(.*\n)*.*service tcp-keepalives-out>

Finds the first line service tcp-keepalives-in and then looks for service tcp-keepalives-out on any line after that. The regular expression string .*\n(.*\n)*.* is used to search any number of lines between strings.

access-list 105 deny.*tcp any any eq 139 log

Finds the line with access-list 105 deny, followed by any number of characters of any type, followed by tcp any any eq 139 log on the same line. The regular expression string .* finds any character and any number of characters on the same line. This expression can be used to find spaces, tabs, numbers, letters, or special characters.

ntp clock-period \d*

Finds any line that includes ntp clock-period, followed by any number. The regular expression string \d* will find any number at any length, such as 3, 48, or 2394887.

user \x2a

Finds any line that includes user *. The regular expression string \x, followed by a hexadecimal value, specifies an individual character. In this example, \x2a represents the asterisk character, which has a hexadecimal value of 2a.

The following examples illustrate the use of SQL string and regular expression pattern matching in Syslog messages and rules.

Regex examples in Orion Log Viewer and deprecated Syslog Viewer (Search Messages tab)

In Orion Log Viewer, simplified regex patterns are not supported. Orion Log Viewer only searches by string. See View logs and events with the Log Viewer.

In the deprecated Syslog Viewer, regular expression search for syslog messages is not currently supported. Matching is only available on simple SQL string patterns, where ? or _ are used to indicate single, replaced characters and where * or % are used to indicate zero characters or to delineate multiple characters. See View Syslog messages in the SolarWinds Platform Web Console (deprecated)

IP Address filter:

• 192.168.74.* - IP addresses in range 192.168.74.1 - 192.168.74.255
• 192.168.74.? (or 192.168.74._) - IP addresses in range 192.168.74.1 - 192.168.74.9
• *.168.74* (or %.168.74%) - IP addresses containing .168.74
• %.74.25 (or *.74.25) - IP addresses ending with .74.25

Message Type filter:

• orion* (or orion%) - message type starts with "orion"
• message???? - message type starts with "message" plus any 4 symbols, like "message1234"
• %orion% (or *orion*) - message type contains "orion"

Message Pattern filter:

• syslog message from 192.168.* - message starts with "syslog message from 192.168."
• *Server_ * messages containing the word "Server" and any symbol before the space.

Regex examples in Syslog rules

Syslog rules allow you to filter matching messages using a Regex pattern, provided the Use regular expressions option is enabled. Regular expressions may be used in syslog message filtering in the Syslog Viewer.

The following examples do not apply to Orion Log Viewer (OLV). Orion Log Viewer has separate operators, such as starts with, does not start with, ends with, does not end with, or contains.

DNS Hostname pattern

• .*domain.com$ - DNS name ends with domain.com
• ^Orion.* - DNS name starts with Orion.
• .*Orion.* - DNS name contains Orion

Message Type Pattern

• ^[A,B,C] - message type starts with A, B or C.
• ^[0-9].*log$ - message type starts with number value from 1 to 9 and ends with log.

Message Pattern

• .*[^0-9]10.0.0.1[^0-9].* - message contains IP address 10.0.0.1
• ^Orion.*[^0-9]10.0.0.1[^0-9].* message starts with Orion and contains IP address 10.0.0.1.
  

  ".*" could be omitted at both the end and the beginning of the expression.