Regular expression format in user_alert.conf

Question

I'm trying to use iCall and an event from user_alert.conf to fail over a BIG-IP VE cluster if an arbitrary BGP neighbor goes down. I have the handler and script working just fine if the event only looks in my logs for a static phrase, but when I have it look for a regex instead, it no longer works. However, if I test in a tool like regex101 with my expression and a log entry, it matches just fine.Here's my user_alert.conf (sanitized of course)alert bgp_neighbor_down "neighbor 100.200.[0-9]{1,3}.[0-9]{1,3} Down" {
        exec command="tmsh generate sys icall event neighbordown context { { name protocol value bgp } }"
}And one of the logs I'm trying to match on:2024/06/20 15:04:32 informational: BGP : %BGP-5-ADJCHANGE: neighbor 100.200.30.4 Down BGP Notification CEASEIf I then run&nbsp;imish and shut down a neighbor that should match that regex, the device I'm on stays active.Any thoughts on what else I can try?

zamroni777 · Answer

"." means any character in regex.replace it with \x02Ehttps://man7.org/linux/man-pages/man7/ascii.7.htmlhttps://www.tcl.tk/man/tcl8.4/TclCmd/re_syntax.htm#M41

Forum Discussion

Regular expression format in user_alert.conf

1 Reply

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

SSO login for APM Profiles

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Webtop which has VNC for macos users

Floating IP responds from wrong VLAN/trunk

Related Content

Advanced iRules: Regular Expressions

Regular expressions in user_alert.conf

Parameter Value - Regular Expression

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

LTM stream profile: Multiple replacements & regular expressions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS