3 Replies Latest reply: Mar 22, 2012 3:53 PM by Fodome RSS

    Kiwi Syslog - Filtering "Message" Using RegEx Not Responding


      I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.

      For example, the field input I use is:

      "src=10.1.1."[1-9]|[1-4][0-9] (src= thru src=

      but all IP's are visible.

      For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is - test passes.

      So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.

      Can someone identify why this regex is not working?


        • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

          Hello alarainc,

          The first thing you need to do is move your expression within the double-quotes.  Example: "src=10.1.1.[2]"

          The second thing you need to do is escape the periods. Example: "src=10\.1\.1\.[2]"

          To look for to, I believe the following should work:


          Let me know if this works.


          Chris Foley | Support Representative
          SolarWinds | IT Management, Inspired By You
          Support:866.530.8040 || Fax:512.857.0125

            • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

              Thanks for your help.

              Unfortunately that didn't work, so I tried to simplify things by using a single placeholder, i.e.

              "src=10.1.1."[0-9] and some variations.

              The TEST button would occassionally, but the filter was never as I needed.

              I then noticed I had the rule TYPE set to COMPLEX vs RegExp.

              It started working better after this! Doh!

              But the filter was still allowing,, etc - but also and 10.1.1.xx, etc.

              I finally restricted the IP address to single or double digits by including the next character in the string (a parenthesis), and repeated the OR variations as follows:

              For IP Range - = "src=10.1.1.[1-9](" "src=10.1.1.[1-4][[0-9]("

              For IP Range - = "src=10.1.1.[5-9][[0-9](" "src=10.1.1.[1-2][0-5][0-9]("

              May not be the most efficient way - but it's working.