This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-04-22 01:38 PM

Regex in Reports

Who would like to see Regex capabilities in building repoprts!

 

I would. 

 

This would be a useful feature request to assist in building reports.

 

 

0 Likes
Reply
7 Replies
RSAAdmin
Beginner
Beginner
‎2008-07-21 06:07 PM

It would be helpful to use regex watchlists in reports, even if just limited functionality, like using the regex watchlists.  Even if it was implemented by translating the regex to a non-regex list, it would save me a lot when running my monthly metrics reports.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-10-17 09:38 AM

I second these notions.  Using regex in reports and watchlists would help me too.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-07-08 01:58 PM

 

 Yes! Please!

 

Implementing more regexes in more places would be good. And the more robust the regex engine, the better. A wrapper for Java.util.regex would be fine, or a wrapper that only implments the features in common between Java.util.regex and the engine that Sybase embedded. 

 

Also, having access to the watchlist table, and a way to split the listvalues column in reports would be awesome! It would save me a lot of grief, and make reporting so much more flexible.

A WHERE clause like the following would be handy in a report:

 

SourceAddress not in (select SOME_SPLIT_FUNCTION(listvalues) from watchlist  where name = "Management Platform")

 

Then I can easily ignore all my management servers and monitoring servers without the need to tune all my IDSs, etc. 

 

PLEASE!

 

0 Likes
Reply
GrzegorzFlak
Beginner
Beginner
In response to RSAAdmin
‎2009-07-08 03:28 PM

You can use watchlist in such a way in Event Explorer and Advanced Tables/Charts. Try function:

 

in_watchlist(variable, 'watchlist_name')

 

i.e. Select fld1, fld2,... from Stream where in_watchlist(SourceAddress, "Blacklisted IP")

 

Regards

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to GrzegorzFlak
‎2009-07-08 04:38 PM

So, for example, when doing a report againt the "Intrusion Detection System" table, in the SQL WHERE clause field, are you proposing that I place something akin to "in_watchlist(SourceAddress, 'monitoring servers')" in there?

 

Or something more akin to:

SourceAddress NOT IN (select ? from ? where in_watchlist(?,"monitoring servers'))

 

? -> values I'm not sure of. 

 

I've tried a couple different vairations on both, neither seem to work. 

0 Likes
Reply
GrzegorzFlak
Beginner
Beginner
In response to RSAAdmin
‎2009-07-08 04:48 PM

I forgot to add, that it is working only in EventExplorer 4.0. So do not try it in reports module or EE 3.x. 

And both examples should actualy (I have never try second one).

In reports reports module you can use statement ... "SourceAddres in ($variable_name)"  instead of "like". But it will not work with regex lists. And you have to create new variable of "watchlist" type of course. 

 

Regards

Message Edited by gstefan on07-08-200904:57 PM
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to GrzegorzFlak
‎2009-07-09 10:44 AM

Boy do I feel dumb ... I never noticed that "Parameter Definitions" thing in there before ... wow.

Too bad you still can't use a regex list, but wow. boy do I feel dumb .....

 

Thanks. 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.