Issue with regex-array in pipeline-rule

Hey,

I am a newby on graylog and have an issue with a pipeline-rule on graylog3
while trying to fetch the not-first member in an regex-array.

I made a simple test-message for testing in the simulator:

TRIGGER TEXT (one) TEXT (two) TEXT (three)

extracting the strings inside the brackets with regex in my rule:

when 
    contains(to_string($message.message),("TRIGGER"))
then
    let pattern = "(?<=\\()(.*?)(?=\\))";
    let VAL = regex(pattern,to_string($message.message));

I want to put the second string in a separate field:

set_fields(VAL);
set_field("FieldOne", VAL["0"]);
set_field("FieldTwo", VAL["1"]);

the only result, i get in the simulator, is the first index:

Added fields
> 0
> one
> FieldOne
> one

The recommended regex-tester says: (?<=()(.?)(?=)) matches all the three parts.
but this is not accepted by the rule - I have to double-escape to save: (?<=\()(.?)(?=\))

……………………………………………………………………………
First I have tried it unsuccessful with [group_names: array[string]
let VAL = regex(pattern,to_string($message.message), [“one”,“two”,“three”]);
which I technically wanted to use.
I have tried many different notations, but only got gl2_processing_error:

In call to function ‘set_field’ at 9:4 an exception was thrown: Indexed or mapped properties are not supported on objects of type Map: [0]

Maybe this simple regex would be enough:

let repa = regex(".+\\((.*)\\).+\\((.*)\\).+\\((.*)\\)",to_string($message.message));
set_field("repa1", repa["0"]);
set_field("repa2", repa["1"]);
set_field("repa3", repa["2"]);

That’s great!
Thank you!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.