Regular Expression Tips & Examples


Regular expressions are a fairly standard and well-documented way of matching text, and can be used in email-based integrations to either include or exclude certain keywords from creating incidents. Even using Google on the first try for specialized regular expressions will often return good results, since people have been using them to complete the same simple tasks for decades.

Here is an example of a common regular expression:

Your service is receiving emails, however you only want the service to create incidents and notify you if they are either critical or severe, as determined by your monitoring system, which sends out notifications starting with the words CRITICAL or SEVERE in the subject line when the occasion arises.

The regular expression you would use to only match incidents of this type would be: ^(CRITICAL|SEVERE)

The ^ means the subject line starts with this, and (CRITICAL|SEVERE) means the starting word can be either CRITICAL or SEVERE.

Case Sensitivity

Regular expression rules are case sensitive, so DOWN, down, and Down are all considered different strings and will not both match against the same regex. You can make your email management rules case insensitive by adding (?i) to the beginning of the line. Here’s an example: (?i)(critical)

This will capture all cases: critical, CRITICAL, cRiTicAL, etc.


It's important to note that the case insensitivity modifier (?i) will only work with email management rules, it will not work with email filters. Due to this issue, we suggest using a pipe | to capture different upper/lowercase strings for email filters. For example: (Down|DOWN|down) 


Writing regular expressions can be difficult, but Rubular is a very helpful tool for editing regular expressions and making sure that the expression is correct.


To test an expression in Rubular, just enter your test string (in this example the email address that you want incidents to be opened with) and then make sure that your entered regular expression shows a match to your regular expression.


Filtering For

Filter Options & Regular Expression

'Open Escalations' or '[JIRA] Commented':

((Open Escalations)|(\[JIRA\] Commented:))+

  • All emails that contain Priority 1 or Priority 2 and Failed in the subject

  • AND contains Warning to Failed or Normal to Failed in the message body

  • AND only accepts emails from

  • The email subject matches the regex:

    ([\s\S]*)(Priority 1 | Priority 2)+([\s\S]*)(Failed)+

  • AND the email body matches the regex:

    (Warning to Failed)|(Normal to Failed)

  • AND the from address matches the regex:

Only trigger incidents from specific domains


Filter out e-mail replies that include RE: or FWD: at the beginning of the e-mails

The email subject does not match the regex \ARE:|\AFWD:

Do NOT open incidents with subject [Monitor] Back to normal: Disk Capacity met or exceeded 90%, increasing to 90% at 05:15AM and continued until 05:30AM (15 minutes)

  • The email subject matches the regex:

    (\[Monitor\] .*? isn\'t reporting.*)|(\[Monitor\] .*? Error\:.*)|(\[Monitor\] .*? Alert\: (?!(Port|Process|The URL)).*)|(\[Monitor\] .*? Alert\: (Port|Process) check\: (\d) of (?!\2).*)|(\[Monitor\] .*? Monitor\: The URL.*is not.*$)|(((?!wom-game0[1-2]).)*$)

  • AND the email body is anything

  • AND the from address matches the regex:


  • The email subject does not match the regex:


  • AND the email body is anything

  • AND the from address is anything

See also:

Have more questions? Submit a request