I’m trying to configure a rule that will drop remove any field that matches “Form__member_name_” with 7 digits after (i.e . Form__member_name_1234567) I have this much but I’m not sure how to go about attaching a regex to my rule:
rule "function removeFields"
when
has_field("Form__member_name_")
then
remove_field("Form__member_name_");
end
Is it possible to set a field to look for with a regex in your rule?
yes you can.
eg.
regex("^.*(cde\\.)(:(\\d+))?.*$", "abcde.fg").matches == true
But maybe it’s enought
contains(to_string($message.log_type),"IIS",true)
This regex works on regex query testers but not in Graylog. Any assistance?
^(?i)([a-z]{4}).([a-z]{7}).([a-z]{6}).(\d{3})$check your regexp and mine.
there is the reason.
From reading this, it looks like what @rmentor is trying to do is perform a regex match against the field name(s,) not the values of the fields.
AFAIK, this is not possible. You can perform the regex on the values of the fields but, not the names of fields.
@Ponet that’s exactly what I was trying to do. Thanks for the information. I’ll try to come at this from another angle.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.