Capturing numbers with commas


(Jan Caster) #1

I am currently trying to parse numbers captured from logs using regex.
The numbers however, have commas within them (e.g. 1,234.16 ), we need to use charts on the field so we have to convert the field to_long().

Does anyone have any recommendations how to do this?
Sample log:

<62>1 2017-09-18T06:03:36.994+00:00 xxxxxxx-xxxxxxxx oci 7564 syslog - [SANscreen] Event: Violation Up, Name: VL-773434, Type: HV_VirtualMachine, Severity: CRITICAL, Element: xxxxx.xxx.xxxxx.xxx, Description: xxxxx.xxx.xxxxx.xxx violation with 'Latency - Total' > 30.00 ms (value of 140.15 ms), Start Time: Mon Sep 18 06:02:53 UTC 2017

Here’s the sample pipline that we use

rule "get oci fields - up"
when
  contains(to_string($message.message),"IOPS")
then
 let pattern = "(Violation Up), Name: \\S+, Type: \\S+, Severity: (\\w+), Element: (\\S+), Description: \\S+ violation with \\'IOPS \\- Total\\' \\> \\S+ IO\\/s \\(value of (\\d.*) IO\\/s\\), Start Time: (\\w+ \\w+ \\d+ \\d+\\:\\d+\\:\\d+ \\w+ \\d+)";
 let regex_match = regex(pattern,to_string($message.message),["violation_status","severity","target_vm","iops","start_time"]);
 set_fields(regex_match);
 
 let a = split(",",to_string(regex_match["iops"]));
 let b = split(",",to_string(regex_match["iops"]),1);
 
 //Hello There test
 //let a = split(",","Hello,There",1);
 //set_field("temp",a);
 
 set_field("str_iops", concat(to_string(a),to_string(b)));
 set_field("iops",to_long(concat(to_string(a),to_string(b))));
end

I tried using to_long() to convert but it wouldn’t probably due to the comma.
I’ve tried using splitting then combining as well but it seems not splitting anything.
Also, the the “Hello,There” test about would set “Hello,There” in the field without splitting.


(Jochen) #2

“12.345” is a floating point number (or floating point number with double precision), not an integer (or long integer), so you have to use the to_double() function.

Using commas for digit grouping is not supported by either to_long() nor by to_double(), so you have to remove these before sending the message to Graylog.


(Jan Caster) #3

Thanks for the response, I created a rather hacky comma remover in a separate rule (using regex and concat) then set the fields as double. it works well now, thanks for the suggestions.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.