ITOM Event Rules Regex for expressions

boey007 · ‎04-22-2020

Hello all,

I hope you can help me overcome something which in the face of it seems an trivial issue.

I am creating a new event rule from the 'create event rule' wizard and in the transform section want to extract a value using regex to populate in my alert output. The source information is in the event input, additional information field.

My field content is

{"version":"0","id":"ae757f3a-1111-ddee-ac65-f7d2ea76ce2f","detail-type":"EC2 Instance State-change Notification","source":"aws.ec2","account":"675031479010","time":"2020-04-09T13:20:19Z","region":"us-east-1","resources":["arn:aws:ec2:us-east-1:435031421121:instance/i-04b42e0f4cssde3d2"],"detail":{"instance-id":"i-04b42e0f4c4dc5532","state":"running"}}

I want to extract the instance-id value from the content.

My Regex is

"instance\-id":"(.*)",

which verifies as correct on regex101 tester and returns the instance-id value in group1 which is assigned to the expression variable.

On testing the rule condition all that is returned is <<UNKNOWN>> which i understand to be a failure to get the information.

Thanks for any assistance in advance.

patrickkenney · ‎04-23-2020

Thanks Ryan. I stand corrected.

Below is one way to get the result you are looking for.

While displaying an Event with the contents in the format you expect, select "Create Event Rule" in the upper right. This will open an Event Rule Wizard that keeps the event contents available to use. If you had properly formatted JSON in the Additional Information, those key value pairs will be listed as available variables under the Event Input section. Below is the result using your example

The "detail" variable above is now available to be used in a regex. This can be done clicking on the variable and using the regex tool to highlight the data to extract. You can also create the regex on this screen as well.

When using this wizard I have found it neccessary to create "Null" variables to account for any globing that is needed.

The resulting regex can be viewed using the editing toggle "</>" in the upper right of this window. It will display the regex created from the highlighting.

Note - If you update the regex on this screen you will lose the ability to use the highlighting method.

The above results in a variable called instance_ID that can be used in your rule where needed. It will be displayed under the Expressions section with the result from the data used in the Event Rule creation

For testing I added the instance_ID to the description.

The resulting Alert when sending a new event that matches this rule displays the description field with the Instance ID in it.

View solution in original post

BharatiK · ‎02-12-2025

Hi @patrickkenney,

I have gone through this post and helped a lot.

I have one more requirement i.e. when we select the text and after that we select the field so in second step I have to provide some other name e.g. regExInstance (meaning not selecting the field from dropdown).

can you please suggest on this?

Ryan Zulli · ‎02-12-2025

Hi @BharatiK - What is your question? And can you provide an example? Also, if you're referring to using the highlight tool - thats great during a proof of concept, however it is best practice to use traditional regex when parsing out the event payload.

happy to help - let me know.

Thanks,

-Ryan

NR · ‎08-30-2020

I understand this is a custom requirement but We have an existing article that might help you, in case you are not aware. You can find it here! https://hi.service-now.com/kb_view.do?sysparm_article=KB0809836

Betzaida Garcia · ‎08-04-2022

Hey I'm testing an event rule and it just print my regex on the event, any thoughts on that?