Grok works in test with sample data, unable to utilize in Pipeline rule

Templates and Rules Exchange Pipeline Rules
1

Trying to wrap my head around this, not familiar with Graylog, but hoping to get it to work someday. I am utilizing NGINX Reverse Proxy Manager (NPM) on my network. I am successfully sending data to graylog. However, I get events that looks like this:

facility
Unknown
facility_num
-1
level
-1
message
2025-08-14T12:19:32.982662+02:00q77-npm-01nginx-access[14/Aug/2025:10:19:32 +0000] - 200 200 - GET https graylog.www.xyz "/api/system/configuration/minimum_auto_refresh_interval" [Client 192.168.0.22] [Length 16] [Gzip -] [Sent-to 192.168.44.12] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15" "https://monk.www.xyz/streams/689d182f3362d9b1bcbfe4e9/search?q=&rangetype=relative&streams=689d182f3362d9b1bcbfe4e9&from=300"
source
10.0.20.14
timestamp
2025-08-14 10:19:32.983

If I try the above message with this Grok pattern, it works (“Test with Sample Data”), “NPM_ACCESS_LOGS”:

^%{TIMESTAMP_ISO8601:ingest_ts}\s?(?<host>.+?)(?<program>nginx-(?:access|error|stream|proxy))\[%{HTTPDATE:request_time}\] - %{NUMBER:status:int} %{NUMBER:upstream_status:int} - %{WORD:method} %{WORD:scheme} %{HOSTNAME:host_header} "%{DATA:request_path}" \[Client %{IPORHOST:client_ip}\] \[Length %{NUMBER:response_length:int}\] \[Gzip %{DATA:gzip}\] \[Sent-to %{IPORHOST:sent_to}\] "%{DATA:user_agent}" "%{DATA:referrer}"$

But I am not sure why I cannot get the fields when I try to utilize the Pipeline Rule Builder:

Title: NPM Access Logs

When
Check if string value in 'message' contains 'nginx-access'
Then
Match grok pattern 'NPM_ACCESS_LOGS' on field 'message' and set fields for matches

It also looks OK in https://www.grokdebugger.com?

[
  {
    "ingest_ts": "2025-08-14T12:19:32.982662+02:00",
    "host": "q77-npm-01",
    "program": "nginx-access",
    "request_time": "14/Aug/2025:10:19:32 +0000",
    "status": 200,
    "upstream_status": 200,
    "method": "GET",
    "scheme": "https",
    "host_header": "graylog.www.xyz",
    "request_path": "/api/system/configuration/minimum_auto_refresh_interval",
    "client_ip": "192.168.0.22",
    "response_length": 16,
    "gzip": "-",
    "sent_to": "192.168.44.12",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15",
    "referrer": "https://graylog.www.xyz/streams/689d182f3362d9b1bcbfe4e9/search?q=&rangetype=relative&streams=689d182f3362d9b1bcbfe4e9&from=300"
  }
]

What am I missing / not understanding? Using Rule Simulation and pasting the contents of the message field in Simple Message gives me Conditions Output true, but noe any fields.

Thanks!

2

Got it to work.

Slightly changed Grok Pattern:

%{TIMESTAMP_ISO8601:timestamp}(?<hostname>[a-zA-Z0-9-]*[0-9])(?<program>[a-zA-Z][\w-]*)?\[%{HTTPDATE:request_time}\] - %{NUMBER:status:int} %{NUMBER:upstream_status:int} - %{WORD:method} %{WORD:scheme} %{HOSTNAME:host_header} "%{DATA:request_path}" \[Client %{IPORHOST:client_ip}\] \[Length %{NUMBER:response_length:int}\] \[Gzip %{DATA:gzip}\] \[Sent-to %{IPORHOST:sent_to}\] "%{DATA:user_agent}" "%{DATA:referrer}"$

And I referenced it a bit differently:

Match grok pattern ‘%{NPM_ACCESS_LOGS}’ on field ‘message’ and set fields for matches