Errors/issues in pipeline rule builder: Invalid expression, not adding new field

marziglt · November 20, 2024, 3:02pm

Using Graylog Open 6.1, we’re trying to parse the Category from an incoming log stream derived from the OpenSearch cluster log file.

Sample message:

servername file-osgraylog: [2024-11-19T13:22:07,732][INFO ][o.o.j.s.JobSweeper ] [servername] Running full sweep

Proposed regex:

[o.o.(.*?)]

When we apply the proposed regex (which works on several regex calculators online) in a Graylog pipeline rule (using the “Extract regular expression to new field” action), we get the rule builder error “Invalid expression”.

Furthermore, even when we used a simple “*” or “a” as the expression, the pipeline rule would be free of errors but would not create the new field.

marziglt · November 20, 2024, 5:30pm

We solved it ourselves. Apparently Graylog requires the Java flavor of regex. Once we used the required syntax, it came together nicely:

\[(o\.o\…*?)\]

Topic		Replies	Views
Parsing Snort Logs w/ Regex Graylog Central (peer support) pipeline-rules	2	1369	June 6, 2020
Regex in search bar is working but doesn't work in Pipeline rule Graylog Central (peer support) pipeline-rules	21	935	March 22, 2023
Graylog pipeline rule syntax errors (I guess?) Graylog Central (peer support) pipeline-rules , debuggingpl , sidecar , winlogbeat	4	1321	October 1, 2018
Issue with parsing regex expression in pipelines Graylog Central (peer support) pipeline-rules , regex-special-charac , jsonfblx	8	273	January 17, 2024
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	2176	July 7, 2023

Errors/issues in pipeline rule builder: Invalid expression, not adding new field

Related topics