Configuring Custom Alerts from Raw Logs

I’ve added some Cisco devices as Raw Log event sources in InsightIDR and I’d like to create custom alerts for some specific events. I’m having trouble getting the query correct. If I wanted to trigger an alert on a log that contains BGP-5-ADJCHANGE, what would that query look like when setting up the custom rule?

Here’s an example of a log:
01 Dec 2023 08:47:00.870<189>142: Dec 1 16:47:00.916: %BGP-5-ADJCHANGE: neighbor x.x.x.x Down Peer closed the session Raw Log/Cisco Router1

Hi @aboyd1 you just need to define the pattern of /BGP-5-ADJCHANGE/ with the slashes to have the job done.

Hope this helps