Today, one of my costumers asked me to create some groups and Live Maps views containing network devices with a specific ip address range. Now, im a big fan of the “work smarter, not harder” principle, so I wanted the groups and views to be dynamic using regular expressions.
I’ve worked with regular expressions before, which is fairly manageable with a table of the meta characters on your hand. However, I find ip addresses a lot more tricky, which is why I’m posting different solutions.
Before advancing, I would like to introduce you to a dear friend of mine: www.regexpal.com. On regexpal.com you can test your regular expressions to make sure they are working.
All possible ip addresses:
^(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$
Yes, this looks pretty complicated, but I’m going to break it down in some examples.
Example 1: you want all the ip addresses with an XXX.50.XXX.XXX address:
^(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(50)\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$
Example 2: you want all the ip addresses with an XXX.XXX.2.1 address:
^(10|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(2)\.(1)$
Example 3: you want ip addresses between the second octets 10.10.10.1 and 10.20.10.1 (10.10.X.X and 10.20.X.X):
^(\d|10)\.(\d|1\d|1\d\d|2([0-9]\d|5[0-9]))\.(10)\.(1)$ = everything between 10.10.10.1 and 10.19.10.1 ^(\d|10)\.(20)\.(10)\.(1)$ = 10.20.10.1, but not 10.21.10.1
Example 4: Ip addresses starting with 10:
^(10|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$
Example 5: Ip addresses starting with 192.168.100
^(192|(10-4]\d|5[0-5]))\.(168)\.(100)\.(\d|[1-9]\d|1\d\d|2([0-4]\d|5[0-5]))$
Using these examples and regexpal.com its a lot easier to make a regular expression. Let me know if you need other examples 🙂
Happy regular expressioning!
Mike, great post. I do have a custom regex rule I need help with and thought I would run it by you. It sounds like the regex used for group calc is different than the regex used for the SDK, but not sure what that really means and my regex skills are minimal at best. http://support.microsoft.com/kb/2702651. I am using SCOM 2007 R2.
The basic requirement is to monitor a log file for a capital ‘E’ with leading and trailing spaces. An example of one error in the log is below. Now I know that using a PowerShell regex tester my regex does return true, if I use (s+Es+) as well as (bEb). I have tried several variations of this in my rule but I do not get an alert. I am also not sure if I need to use a ‘/’ as such: (/s+Es+/). I have also tried this using parens and not using them ().
[2/12/13 5:17:05:414 EST] 00000040 wle E CWLLG2041E: TeamWorksJavaScriptException created non-nested.
To confirm that the agent is working and the rule logic is good, I did setup the rule to use a basic regex like (^abu). If I put ‘abu’ at the start of the line in the log file I do get an alert.
Alert Rule setup:
Directory: D:IBMWebSphereAppServerprofilesBPMStdCustomPrd01logsPRD80.WebApp.BPMStdCustomPrdNode01.0
Pattern: SystemOut-test.log
Expression: Params/Param[1] Matches Regular Expression (s+Es+)
Hi MikeK
Thanks for commenting. Are you just trying to create a monitor that looks for a log file with a capital “E” in the name?
Regards
Michael
[…] Create the Groups It is a good idea to create a new management pack to contain the groups and the rules used in syslog monitoring. It simplifies targeting for overrides without getting into additional details of visibility limitations due to sealed and unsealed management packs. Once you have your devices discovered, the next step is to create groups containing similar devices that will share similar syslog events you want to target. For example, you might want to create a group to contain your routers, another for your edge switches, another for your core switches, another for your VoIP telephony, etc. Populate the groups accordingly with the network devices. When you target the members (either via the Explicit Members or the Dynamic Member tabs) you will want to target objects of type Node (System.NetworkManagement.Node). I would add that you will need a pretty solid IP scheme standard in place (e.g. 1-5 in last octet reserved for routers, 6-15 in last octet reserved for switches, etc.) in your environment to leverage the Dynamic Members tab effectively. If you do, this site has helped me quite a bit with the joy that is regex for ip addresses: Working with regular expressions and ip addresses in OpsMgr 2012. […]
Almost everyone lies to protect who they are if cornered and feeling the heat. In the wild it is to preserve life, but often here in our human realm it is to preserve lies we've created about oueerlvss. Lies that sometimes are the only reality we know.
Not to mention one of the ‘special/secret’ companions that got leaked… the design is completely sexualized for something that doesn’t need it whatsoever. Or at least not to those idealized degrees. I’m not going to say any names, I don’t want to spoil it for any readers.
Have you ever considered publishing an ebook or guest authoring on other websites? I have a blog based on the same topics you discuss and would really like to have you share some stories/information. I know my viewers would enjoy your work. If you’re even remotely interested, feel free to shoot me an e mail.
Life of Brian…..I enjoyed it all those years ago ,but can't help feel that no one would do a similar one on Mohamed . So they qualify as hypocrites. Christianity is a soft touch.The other thing is at least that was comedy…this fellow may die a very violent death.