Doubt about Regex on Pipeline

MrKennedy · January 4, 2023, 4:01pm

Hi people

I’m new about Graylog and I’ve tried to create a Pipeline to extract an information but when I checked the new field created it’s showing (I believe) the index of array…

message: 1/4/2023 12:53:21 PM 3048 PACKET 00000232C6D4D890 UDP Rcv 192.168.251.4 f815 Q [0001 D NOERROR] A (25)atera-agent-heartbeat-cus(10)servicebus(7)windows(3)net(0)

Result

Follow my pipeline script

rule "Get_Domain"
when
    has_field("message")
then
    let message_field = to_string($message.message);
    let domain = regex("(\\([^\\s]+\\))", message_field);
    set_field("dstdomain", domain);
end

I would like to show on this way “dstdomain: (25)atera-agent-heartbeat-cus(10)servicebus(7)windows(3)net(0)”

Anybody could help me?

Have a nice day!!! Thank you

tmacgbay · January 4, 2023, 8:05pm

I think it’s just setting it to find use the first found instance: ["0"]

let domain = regex("(\\([^\\s]+\\))", message_field)["0"];

system · January 18, 2023, 8:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipelines and regex (and some extractor talk) Graylog Central (peer support) regex-special-charac	6	775	July 11, 2023
Issue with regex-array in pipeline-rule Graylog Central (peer support) pipeline-rules	3	1474	May 8, 2020
Regex in Search Field Graylog Central (peer support)	6	1418	September 20, 2018
Regex Matching in Pipeline or Extractor Graylog Central (peer support)	18	2293	January 31, 2023
Graylog 4 - pipeline regex causes lost messages? Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	6	1540	February 1, 2021

Doubt about Regex on Pipeline

Related topics