Regex and CONTENT field
Yes, you're right. I don't doubt it worked like that before, but I question what changes they may have made in SP2.
From my experience, using the NOT LIKE (or LIKE) comparison against [CONTENT] used to be (before v4.0) a good way to do partial string / sub-string matches, but RSA fixed that (read: took the capability away while fixing something else) in v4.0 so now anything in a LIKE or NOT LIKE [CONTENT] is going to have to match the entire [CONTENT]. I know, I know, it defies all the rules of sanity, but it is what it is. I suspect maybe that's what's happening in your case.
You may have already tried this, but in the corelation alert build a filter statement that uses REGEX comparison against the exact field you're after, or perhaps [content] if it will let you, and use something along the lines of
I didn't test that pattern, but you get the general idea.
It could be that the pattern you're specifying now, in the NOT LIKE, is attepting to filter as a literal sring of text .*/20..19|20|21|22):.* against the entire [CONTENT], and because the entire [CONTENT] doesn't look like .*/20..19|20|21|22):.* your alerts are not getting filtered like you want.
I'm probably wrong... no more than do i learn how it works, some SP comes along and makes undocumented changes to the logic of how the product works and I'm forever questioning myself.
I went back to my old notes. The reason this is borken is that my variables used to parse...they stopped. Parsing is occurring correctly in the query but the Statement filter is not showing anything but [Content]. No XML changes were made. Any troubleshooting tips are appreciated.
Yeah that sounds frustrating. I'm unsure of what's causing that, can't really offer any sugestions but can confirm that I have seen that before just once, with one of my corelated alerts. It was specific to Checkpoint Firewall logs, and the same thing happened... wen't in there one day and the filter statement had lost the list of all field names, and only displayed [CONTENT]. Backed out one page and removed the specific event ID (specified on the previous page) and re added it and the values reappeard like you described. Weird.
Just to update everyone on this issue: the disappearing variables is a known issue with no known fix, but support is working on it. There is a fix if you are running SP2 but not SP3 because the fix was recompiled into the webserver service and not part of SP3. I am waiting on a delivery date but it appears that the NOT LIKE is working just fine not sure what was going on when I originally posted.