Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Operations Connector10.11

Develop > Pattern Matching in Policy Rules > Pattern-Matching Details

Pattern-Matching Details

Operations Agent provides a powerful pattern-matching language that reduces the number of conditions you must use. Selected, dynamic parts of text-based events can be extracted, assigned to variables, and used as parameters to build the event description or to set other attributes.

The pattern-matching language enables you to very accurately specify the character string that you want a rule to match.

In text boxes where pattern-matching expressions are allowed you can click for a shortcut menu with pattern-matching expressions that can be selected and inserted into the text box.

Matching special characters

Ordinary characters are expressions which represent themselves. Any character of the supported character set may be used. However, if any of the following special characters are used they must be prefaced with a backslash (\) that masks their usual function.

  \ [ ] < > | ^ $

If ^ and $ are not used as anchoring characters, that is, not as first or last characters, they are considered ordinary characters and do not need to be masked.

Matching characters at the beginning or end of a line

If the caret (^) is used as the first character of the pattern, only expressions discovered at the beginning of lines are matched. For example, "^ab" matches the string "ab" in the line "abcde", but not in the line "xabcde".

If the dollar sign is used as the last character of a pattern, only expressions at the end of lines are matched. For example, "de$" matches "de" in the line "abcde", but not in the line "abcdex".

Matching multiple characters

Patterns used to match strings consisting of an arbitrary number of characters require one or more of the following expressions:

<*> matches any string of zero or more arbitrary characters (including separators)
<n*> matches a string of n arbitrary characters (including separators)
<#> matches a sequence of one or more digits
<n#> matches a number composed of n digits
<_> matches a sequence of one or more field separators
<n_> matches a string of n separators
<@> matches any string that contains no separator characters, in other words, a sequence of one or more non-separators; this can be used for matching words
</> matches one or more line breaks
<n/> matches exactly n line breaks
<S> matches one or more white space characters: space, tab and new line characters (" ", \t, \n, \r)
<nS> matches exactly n white space characters

On Windows operating systems, a new line consists of two white space characters (\n\r).

Separator characters are configurable for each pattern. By default, separators are the space and the tab characters.

Matching two or more different expressions

Two expressions separated by the special character vertical bar (|) matches a string that is matched by either expression. For example, the pattern:

  [ab|c]d

matches the string "abd" and the string "cd".

Matching text that does not contain an expression

The NOT operator ( ! ) must be used with delimiting square brackets, for example:

  <![WARNING]>

The pattern above matches all text which does not contain the string "WARNING".

The NOT operator may also be used with complex subpatterns:

  SU <*> + <@.tty> <![root|[user[1|2]]].from>-<*.ot>

The above pattern makes it possible to generate a "switch user" event for anyone who is not user1, user2 or root. Therefore the following would be matched:

  SU 03/25 08:14 + ttyp2 user11-root

However, this line would not be matched, because it contains an entry concerning "user2":

  SU 03/25 08:14 + ttyp2 user2-root

Notice that if the subpattern including the not operator does not find a match, the not operator behaves like a <*>: it matches zero or more arbitrary characters. For this reason, the pattern-matching expression: <![1|2|3]> matches any character or any number of characters, except 1, 2, or 3.

Mask ( \ ) Operator

The backslash ( \ ) is used to mask the special meaning of the characters:

  [ ] < > | ^ $

A special character preceded by \ results in an expression that matches the special character itself.

Notice that because ^ and $ only have special meaning when placed at the beginning and end of a pattern respectively, you do not need to mask them when they are used within the pattern (in other words, not at beginning or end).

The only exception to this rule is the tab character, which is specified by entering "\t" into the pattern string.

Bracket ([ and ]) Expressions

The brackets ([ and ]) are used as delimiters to group expressions. To increase performance, brackets should be avoided wherever they are unnecessary. In the pattern:

  ab[cd[ef]gh]

all brackets are unnecessary--"abcdefgh" is equivalent.

Bracketed expressions are used frequently with the OR operator, the NOT operator and when using subpatterns to assign strings to variables.

Numeric range operators

Operations Agent provides six numeric range operators that can be used in pattern matching. The operators are used in this way:

Operator name	Syntax	Example/Explanation
Less than	`<[pattern This is a match pattern you provide that returns the number to be compared] -lt n This is the value against which you want to test the number returned by the match pattern>`	`<[<#>] -lt 5>` matches every number less than 5
Less than or equal to	`<[pattern] -le n >`	`<[<#>] -le 5>` matches 5 and every number less than or equal to 5
Greater than	`<[pattern] -gt n >`	`<[<#>] -gt 5>` matches every number greater than 5
Greater than or equal to	`<[pattern] -ge n >`	`<[<#>] -ge 5>` matches 5 and every number greater than or equal to 5
Equal to	`<[pattern] -eq n >`	`<[<#>] -eq 5>` matches 5 or 5.0
Not equal to	`<[pattern] -ne n >`	`<[<#>] -ne 5>` matches every number but 5 and 5.0
The operators can also be combined to produce matches according to ranges of numbers:
Matches numbers that belong to the interval, excluding the limits	`< n -lt [pattern] -lt n >`	`<5 -lt [<#>] -lt 10>` matches every number between 5 and 10 ( but not 5 or 10)
Matches numbers that belong to the interval, including the limits	`< n -le [pattern] -le n >`	`<5 -le [<#>] -le 10>` matches every number between 5 and 10 (including 5 and 10)
Matches numbers that do not belong to the interval, excluding the limits	`< n -gt [pattern] -gt n >`	`<10 -gt [<#>] -gt 5>` matches every number between 5 and 10 ( but not 5 or 10)
Matches numbers that do not belong to the interval, including the limits	`< n -ge [pattern] -ge n >`	`<10 -ge [<#>] -ge 5>` matches every number between 5 and 10 (including 5 and 10)
The number n can also be replaced by a parameter in the format `%%<parameter>%%`. The following shows an example with the Greater than operator:
Greater than defined parameter	`<[pattern] -gt %%<parameter>%% >`	`<[<#>] -gt %%threshold%%>` matches every number greater than the defined threshold

Send Help Center feedback