Regex in Reports
It would be helpful to use regex watchlists in reports, even if just limited functionality, like using the regex watchlists. Even if it was implemented by translating the regex to a non-regex list, it would save me a lot when running my monthly metrics reports.
Implementing more regexes in more places would be good. And the more robust the regex engine, the better. A wrapper for Java.util.regex would be fine, or a wrapper that only implments the features in common between Java.util.regex and the engine that Sybase embedded.
Also, having access to the watchlist table, and a way to split the listvalues column in reports would be awesome! It would save me a lot of grief, and make reporting so much more flexible.
A WHERE clause like the following would be handy in a report:
SourceAddress not in (select SOME_SPLIT_FUNCTION(listvalues) from watchlist where name = "Management Platform")
Then I can easily ignore all my management servers and monitoring servers without the need to tune all my IDSs, etc.
You can use watchlist in such a way in Event Explorer and Advanced Tables/Charts. Try function:
i.e. Select fld1, fld2,... from Stream where in_watchlist(SourceAddress, "Blacklisted IP")
So, for example, when doing a report againt the "Intrusion Detection System" table, in the SQL WHERE clause field, are you proposing that I place something akin to "in_watchlist(SourceAddress, 'monitoring servers')" in there?
Or something more akin to:
SourceAddress NOT IN (select ? from ? where in_watchlist(?,"monitoring servers'))
? -> values I'm not sure of.
I've tried a couple different vairations on both, neither seem to work.
I forgot to add, that it is working only in EventExplorer 4.0. So do not try it in reports module or EE 3.x.
And both examples should actualy (I have never try second one).
In reports reports module you can use statement ... "SourceAddres in ($variable_name)" instead of "like". But it will not work with regex lists. And you have to create new variable of "watchlist" type of course.
Boy do I feel dumb ... I never noticed that "Parameter Definitions" thing in there before ... wow.
Too bad you still can't use a regex list, but wow. boy do I feel dumb .....