Extractor Regex No Match

kenzo-onms · November 5, 2021, 6:46pm

I’m trying to create an extractor and when I click the try button I get error “Regular expression did not match”. I used the syntax found here Extractors - Extractors with and without brackets around the whole statement.

Screenshot is here: https://i.imgur.com/n8gSeFm.png

System

Hostname:
GCC-009
Node ID:
3d12686f-c3fc-4d98-bf06-74fd7ec808c8
Version:
4.2.0+5adccc3, codename Noir
JVM:
PID 5480, Red Hat, Inc. 1.8.0_302 on Linux 3.10.0-1160.45.1.el7.x86_64
Time:
2021-11-05 14:40:54 -04:00

tmacgbay · November 5, 2021, 7:47pm

Only giving a picture doesn’t help me to test it out much… But you can use the same tools I would if I had the text of your message and regex… You can plug your information in here and it will parse your regex, show results, and explain what is going on in your regex command.

kenzo-onms · November 6, 2021, 8:41am

The thing is, I’m just a network engineer trying to pull per building info based on the node description for my Meraki APs. I’ve never delved much into structured queries.

Here is a message sample:

<134>1 1636186331.633775439 SP2_216_AP1 airmarshal_events type=rogue_ssid_detected ssid=’’ bssid=‘22:18:0A:84:06:EA’ src=‘22:18:0A:84:06:EA’ dst=‘FF:FF:FF:FF:FF:FF’ wired_mac=‘00:18:0A:84:06:EA’ vlan_id=‘14336’ channel=‘2437’ rssi=‘47’ fc_type=‘0’ fc_subtype=‘8’

tmacgbay · November 6, 2021, 1:46pm

You could try:

SP3\S+

SP3 matches the characters SP3 literally (case sensitive)

\S matches any non-whitespace character (equivalent to [^\r\n\t\f\v ])

+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)

All of the above from the regex101 web site - you wanted anything starting with SP3 and following to a white space so I used the Quick Reference section to find the tokens I wanted to use and double checked with the explanation that it explained what I wanted to do reasonably.

Regex is powerful stuff, worth learning for any IT IMHO. Here is a site I have referred people to in the past (Regex One) IT may start a little slow but it does a good job.

Also of note - there is a lot on Meraki you can search for in the community logs here you can even use this google command site:community.graylog.org meraki to restrict the search to just the Graylog community.

Thirdly of note - there is a searchable market place where people have already put together content packs that have Meraki extractors (etc) you could use.

kenzo-onms · November 8, 2021, 3:23pm

Yes! That works the way I need.

Thanks

system · November 22, 2021, 3:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex extractor bug? Graylog Central (peer support)	2	639	November 14, 2019
Extractor dont'works Graylog Central (peer support)	4	298	May 27, 2020
Unable to get some REGEX extractors working Graylog Central (peer support)	3	758	November 19, 2019
Difficulties to apply extractors using regex Graylog Central (peer support) key_value	47	2039	April 22, 2022
Graylog 3.2 Regex Extractors FAILING BADLY Graylog Central (peer support)	8	1480	May 25, 2020

Extractor Regex No Match

Related Topics