Release 2008.2
4
capture-group
(Optional)
Specify capture group(s), as denoted in the regular
expression inside parenthesis ( ). These captures are
indexed starting at one and processed from left to right
in the pattern. The
capture-group
field must be a
positive integer less than or equal to the number of
capture groups contained in the pattern. The default
value is zero, which will be the entire match.
For example, you can define a single pattern for a
source IP address and port; where the SourceIp matcher
may use a capture group of 1, and the SourcePort
matcher may use a capture group of 2, but only one
pattern needs to be defined.
This field has a dual purpose when combined with the
enable-substitutions
parameter.
enable-substitutions
(Optional)
Specify this Boolean parameter as
true
when a field
cannot be adequately represented with a straight group
capture.
You can combine multiple groups together with extra
text to form a value. This parameter enables that
behavior.
This parameter changes the meaning of the
capture-group
parameter. The
capture-group
parameter creates the new value, and group
substitutions are specified using
\x
where
x
is a group
number from 1 to 9. You may use groups multiple times,
and any free-form text can also be inserted into the
value. For example, if you need to form a value out of
group 1, followed by an underscore, followed by group 2,
an @, and then group 1 again, the appropriate
capture-group syntax is:
capture-group=”\1_\2@\1”
In another example, a MAC address is separated by
colons, but STRM assumes that MAC addresses are
hyphen separated. The syntax to parse and capture the
individual portions is:
capture-group=”\1:\2:\3:\4:\5:\6”
If no groups are specified in the capture-group when
substitutions are enabled, a direct text replacement
occurs.
Default is false.
Table 3
Matcher Entity Parameters (continued)
Parameter
Description
