Hello, I’m trying to move to pipelines rules instead of input exctractors.
1. Describe your incident:
I have a working regex exctractor for my beats input, it replace all (number) with . character on the message field.
- The raw message look like this:
24/08/2023 09:40:14 1590 PACKET 0000018955BBA8D0 UDP Rcv 192.168.1.5 594f Q [0001 D NOERROR] SRV (5)_ldap(4)_tcp(23)Premier-Site-par-defaut(6)_sites(2)dc(6)_msdcs(4)LAB(6)TECH(3)COMPANY(2)LAN(0)
- And the regex:
\([0-9]+\)
- I’m trying to create the equivalent in pipeline rule but I’m stuck:
rule "Filebeat - DNS Server - Replace FQDN format"
when
has_field("tags") AND contains(to_string($message.tags),"dnsserver") AND regex("\\([0-9]+\\)", to_string($message.message)).matches == true
then
let msg = to_string($message.message);
let fqdn_replace = regex_replace(pattern: "\\([0-9]+\\)", value: to_string(msg), replacement: ".", true);
set_field("message",fqdn_replace);
end
- The errors:
2. Describe your environment:
- OS Information: Graylog 5.1.4
Beats input with Filebeat agent ingesting C:\Windows\Logs\DNS\windns.log
3. What steps have you already taken to try and solve the problem?
Looking on the forum how to syntax correctly the function replace_regex.
4. How can the community help?
Can you help me to correct the syntax, I’m not even a beginner in java language and pipeline.
