Best Practice: Regular Expressions (regex)

LogScale supports the use of regular expressions (regex)- they can be invoked almost anywhere by encasing your regex in forward slashes. For example:

#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/\\(System32|SysWow64)\\/i

The above example looks for process execution events within an ImageFileName field that includes one of the following two values: \System32/ or \SysWow64/. The inclusion of /i at the end of the query guarantees that the results will also be case-insensitive.

When writing regexes for LogScale, some things to remember are:

  • You don't need to add .* to your regex- a starting and trailing wildcard is assumed. To include a literal string-beginning or string-ending, anchor your regex with a ^ or $ (e.g. \^powershell\.exe$/i.

  • As previously mentioned, regexes can be made case-insensitive by adding i at the end of a statement with a trailing forward slash.

  • In-line field extractions can be included.

Let's look at an example that includes all 3 concepts:

#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/\\(?<systemFolder></systemFolder>(System32|SysWow64))\\/i
| groupBy([systemFolder, ImageFileName])

For more information on LogScale Query Language, visit our documentation: Query Language Syntax