Trying to pull a username from a description.

Hi Brian, does this topic continue the thread https://www.quest.com/community/intrust/f/forum/31182/application-log-and-realtime-alert ?

OK, this can be done with regular expressions, you should write a regex for the String1. Since you did not provide any details, I will give you an example based on previous thread plus my guess-work. If we have two events:

An attempt was made to login under dom\flast. Access Denied. This user is inactive.
An attempt was made to login under dom\flast. Access Denied. This user account does not exist.

The example of the rule that "reads the user name" might be as follows:

<rule type="REL" version="1.0">
<arguments>
    <argument displayname="User Name Regexp" name="Key" class="Text" description="A regular expression for the user name to search in the Insertion String 1.">
    <value>".*\\s([a-zA-Z][a-zA-Z0-9\\-\\.]{1,61}[a-zA-Z]\\\\\\w[\\w\\.\\-]+)\\.\\s.*"</value>
    </argument>
</arguments>
<prefilter>
</prefilter>
<body>
    EventID = 0
    and set_alert_field("UserName", substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]));
</body>
</rule>

The regex function returns an array of numbers, the index where regexp matched, and the length of the match, https://support.quest.com/technical-documents/intrust/11.4.1/customization-kit/7#String . Then indexes are used in substr function. My regexp is .*?\s([a-zA-Z][a-zA-Z0-9\-\.]{1,61}[a-zA-Z]\\\w[\w\.\-]+)\.\s.*, it searches for something that contains \ inside and ends with . Note that you should double all backslashes after you copy the regexp into the rule.

Hi Brian, does this topic continue the thread https://www.quest.com/community/intrust/f/forum/31182/application-log-and-realtime-alert ?

OK, this can be done with regular expressions, you should write a regex for the String1. Since you did not provide any details, I will give you an example based on previous thread plus my guess-work. If we have two events:

An attempt was made to login under dom\flast. Access Denied. This user is inactive.
An attempt was made to login under dom\flast. Access Denied. This user account does not exist.

The example of the rule that "reads the user name" might be as follows:

<rule type="REL" version="1.0">
<arguments>
    <argument displayname="User Name Regexp" name="Key" class="Text" description="A regular expression for the user name to search in the Insertion String 1.">
    <value>".*\\s([a-zA-Z][a-zA-Z0-9\\-\\.]{1,61}[a-zA-Z]\\\\\\w[\\w\\.\\-]+)\\.\\s.*"</value>
    </argument>
</arguments>
<prefilter>
</prefilter>
<body>
    EventID = 0
    and set_alert_field("UserName", substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]));
</body>
</rule>

The regex function returns an array of numbers, the index where regexp matched, and the length of the match, https://support.quest.com/technical-documents/intrust/11.4.1/customization-kit/7#String . Then indexes are used in substr function. My regexp is .*?\s([a-zA-Z][a-zA-Z0-9\-\.]{1,61}[a-zA-Z]\\\w[\w\.\-]+)\.\s.*, it searches for something that contains \ inside and ends with . Note that you should double all backslashes after you copy the regexp into the rule.