Errors/issues in pipeline rule builder: Invalid expression, not adding new field

Using Graylog Open 6.1, we’re trying to parse the Category from an incoming log stream derived from the OpenSearch cluster log file.

Sample message:

servername file-osgraylog: [2024-11-19T13:22:07,732][INFO ][o.o.j.s.JobSweeper ] [servername] Running full sweep

Proposed regex:

[o.o.(.*?)]

When we apply the proposed regex (which works on several regex calculators online) in a Graylog pipeline rule (using the “Extract regular expression to new field” action), we get the rule builder error “Invalid expression”.

Furthermore, even when we used a simple “*” or “a” as the expression, the pipeline rule would be free of errors but would not create the new field.

We solved it ourselves. Apparently Graylog requires the Java flavor of regex. Once we used the required syntax, it came together nicely:

\[(o\.o\…*?)\]

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.