I am trying my hand at pipeline processing, but once again it just confuses me and I get nowhere with it!
So below I will include sudo code of what I am trying to achieve:
If
field: TargetUserName exists
then
if
field: TargetUserName matches regex: "\\$$" (This regex matches field values that end with $)
then
set field name: TargetUserName to TargetWorkstationName
end
There are no conditionals (like if-then-else) in the rule language, so you have to put these things into the “when” block.
Other than that, the usage of the has_field(), regex(), and set_field() functions should be reasonably straight forward.
Could you provide me with the code to match the field ‘TargetUserName’ with the regex \$$
I really struggle to understand the syntax behind the pipeline processors, and usually choose to not use them where possible. I have read multiple forum posts and all of the documentation surrounding them, however I still can’t seem to get them working, to a point where it’s worth it over using streams and extractors to solve issues I have.
Cheers,
G
See graylog-plugin-pipeline-processor/plugin/src/test/resources/org/graylog/plugins/pipelineprocessor/functions/regexMatch.txt at 2.3.1 · Graylog2/graylog-plugin-pipeline-processor · GitHub for some example usages of the regex() function.
The regular expression syntax follows the rules of Java regular expressions:
Hi Jochen,
I have been pointed to this page before, I still don’t understand it. I’m not sure if this is just me or if other users struggle with pipeline processing. Looking at that page, I don’t understand what each line is doing I feel that it could be more clearly documented.
Thank you for the Regex links, they are useful.
cheers,
G
Maybe this will help:
rule "a_rule"
when
has_field("a_field") AND to_bool(regex("^0$",to_string($message.somefield)).matches)
then
//do whatever you want here
remove_field("another_field");
end
I think another way is to do this step by step in pipeline eg.
step 0 contains the field
step 1 matches regex + change name (only if step one passes)
I agree, documentation is a bit shallow
I agree, documentation is a bit shallow
Additions and clarifications can be submitted as PR to the Repository GitHub - Graylog2/documentation: Archived Graylog documentation. See https://docs.graylog.org/ for the new documentation. and we welcome every contribution.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.