Doubt about Regex on Pipeline

MrKennedy · January 4, 2023, 4:01pm

Hi people

I’m new about Graylog and I’ve tried to create a Pipeline to extract an information but when I checked the new field created it’s showing (I believe) the index of array…

message: 1/4/2023 12:53:21 PM 3048 PACKET 00000232C6D4D890 UDP Rcv 192.168.251.4 f815 Q [0001 D NOERROR] A (25)atera-agent-heartbeat-cus(10)servicebus(7)windows(3)net(0)

Result

Follow my pipeline script

rule "Get_Domain"
when
    has_field("message")
then
    let message_field = to_string($message.message);
    let domain = regex("(\\([^\\s]+\\))", message_field);
    set_field("dstdomain", domain);
end

I would like to show on this way “dstdomain: (25)atera-agent-heartbeat-cus(10)servicebus(7)windows(3)net(0)”

Anybody could help me?

Have a nice day!!! Thank you

tmacgbay · January 4, 2023, 8:05pm

I think it’s just setting it to find use the first found instance: ["0"]

let domain = regex("(\\([^\\s]+\\))", message_field)["0"];

system · January 18, 2023, 8:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipelines and regex (and some extractor talk) Graylog Central (peer support) regex-special-charac	6	465	July 11, 2023
Issue with regex-array in pipeline-rule Graylog Central (peer support) pipeline-rules	3	1399	May 8, 2020
Regex Matching in Pipeline or Extractor Graylog Central (peer support)	18	1328	January 31, 2023
Graylog 4 - pipeline regex causes lost messages? Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	6	1377	February 1, 2021
Can't get this pipeline to work Graylog Central (peer support) pipeline-rules	4	209	December 21, 2023

Doubt about Regex on Pipeline

Related Topics