Then adding extractors, you can choose a condition for matching.
I’ve tried to write a negated regexp for matching, but I can’t get that to work.
Examples I’ve tried:
!(string|otherstring)
(?!(string|otherstring))
But none seems to work
Perhaps a check box is needed for negating the condition (like the stream rules currently have already)
I want to extract Key=Value pair from message, for all messages but exclude certain messages that contains K=V strings that are useless. and instead of writing a condition that includes “known good” I want to write a condition that excludes the “known bad”
btw. some of those might be due to a bug
messages containing a hashstring that ends with == are extracted as a field (which I don’t want), but perhaps K=V also includes format of K==V or K== ?
Correction: string== is extracted as K:string = V:=
also, string= string is extracted as K=V
Some examples of junk I don’t want to K=V extract:
While I agree that specifying the known goods are better for just getting the useful K=Vs, but that list would get really long and hard to maintain.
I think its easier to just exclude the most useless K=Vs that shows up in Graylog.