3 Replies Latest reply: Mar 22, 2012 3:53 PM by Fodome RSS

Kiwi Syslog - Filtering "Message" Using RegEx Not Responding


I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.

For example, the field input I use is:

"src=10.1.1."[1-9]|[1-4][0-9] (src= thru src=

but all IP's are visible.

For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is - test passes.

So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.

Can someone identify why this regex is not working?


  • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

    Hello alarainc,

    The first thing you need to do is move your expression within the double-quotes.  Example: "src=10.1.1.[2]"

    The second thing you need to do is escape the periods. Example: "src=10\.1\.1\.[2]"

    To look for to, I believe the following should work:


    Let me know if this works.


    Chris Foley | Support Representative
    SolarWinds | IT Management, Inspired By You
    Support:866.530.8040 || Fax:512.857.0125

    • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

      Thanks for your help.

      Unfortunately that didn't work, so I tried to simplify things by using a single placeholder, i.e.

      "src=10.1.1."[0-9] and some variations.

      The TEST button would occassionally, but the filter was never as I needed.

      I then noticed I had the rule TYPE set to COMPLEX vs RegExp.

      It started working better after this! Doh!

      But the filter was still allowing,, etc - but also and 10.1.1.xx, etc.

      I finally restricted the IP address to single or double digits by including the next character in the string (a parenthesis), and repeated the OR variations as follows:

      For IP Range - = "src=10.1.1.[1-9](" "src=10.1.1.[1-4][[0-9]("

      For IP Range - = "src=10.1.1.[5-9][[0-9](" "src=10.1.1.[1-2][0-5][0-9]("

      May not be the most efficient way - but it's working.