Running Investigator 9.8.5.19. Trying (unsuccessfully) to use a regex expression to look for specific HTTP Cookie patterns.
As a simple test, I've tried this custom drill (after narrowing results to HTTP and specific alerts):
req.uniq regex 'C5=;'
(Single quotes surrounding expression, and literally looking for the 4 character string). This runs successfully, but returns no results. If I look at the sessions, there clearly are sessions with this string in req.uniq.
What's magic about trying to get regex working? Will they work properly on a meta data item that may exist multiple times in session?
My end goal is a more complex regex, but if I can't get a simple match to work, more complicated certainly won't...
Thanks--
Well, it seems that req.uniq and res.uniq are from the IR pack and since they deal with widely varying data ARE NOT INDEXED. So, to answer my own question:
No, I CANNOT use regex with Investigator to find this pattern, but I CAN use regex in an App Rule to set meta, based on this pattern.