(Add) Negated Condition for Extractors?



Then adding extractors, you can choose a condition for matching.
I’ve tried to write a negated regexp for matching, but I can’t get that to work.
Examples I’ve tried:

But none seems to work

Perhaps a check box is needed for negating the condition (like the stream rules currently have already)

(Jochen) #2

Please provide some specific examples and explain what you want to achieve.


I want to extract Key=Value pair from message, for all messages but exclude certain messages that contains K=V strings that are useless. and instead of writing a condition that includes “known good” I want to write a condition that excludes the “known bad”

btw. some of those might be due to a bug
messages containing a hashstring that ends with == are extracted as a field (which I don’t want), but perhaps K=V also includes format of K==V or K== ?

Correction: string== is extracted as K:string = V:=
also, string= string is extracted as K=V

Some examples of junk I don’t want to K=V extract:

nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/somecommand --tail=10 --comma-separated-output

apache : TTY=unknown ; PWD=/usr/bin/somecommand ; USER=root ; GROUP=apache ; COMMAND=/usr/bin/perlscript.pl L3Zhci93d3cv2dpLWJpi9zZWN1mUvZhlY3V0ZUwZXJdGlvi5bA== b3BlcFaWuPWddEZNU1TcGVjaFsTmZVZJUA== L3RtcCbTWN1ml0eS5UxLU0MTEuNDgZXJyLRcCDhmTHY=

While I agree that specifying the known goods are better for just getting the useful K=Vs, but that list would get really long and hard to maintain.
I think its easier to just exclude the most useless K=Vs that shows up in Graylog.

(Jochen) #4

FWIW, you’d better use a Grok extractor instead of a Key-Value converter to parse these messages.

And what’s the condition you’re using to identify the “junk”?


All those hash strings ending with “==”, which then becomes a key existing of the hash string with the value of “=”

(Jochen) #6

It works for me with the proper regular expression: ^((?!==).)+$


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.