New at rules, getting NPE

joaociocca · July 5, 2017, 9:58pm

So I’m trying my hand at rules and pipelines. I know how to implement another’s rules (did successfully with ionstorm’s Sysmon threat intel), but I’m having dificulties trying my own. Like this:

rule "test"
when
    has_field("event_app")
then
    let lc_event_app = lowercase(to_string($message.event_app));
    let regexPattern = to_string("\w*\.(\w){3}$");
    let event_app_name = regex(regexPattern,lc_event_app);
    set_fields(event_app_name);
end

Pretty basic - extract and lowercase app names from a full path field. But it gives me NPE when trying to save. What am I doing wrong - that even searching the web I couldn’t find out?

jochen · July 6, 2017, 8:06am

You have to properly escape the backslash ("\") character in your regular expression, e. g. "\\w" instead of "\w".

Related issue (fixed in Graylog 2.3.0):

joaociocca · July 6, 2017, 2:25pm

escape inside string… that’s hardcore. Thanks man! It’s working now =)
(edit) at least I thought it was… I still don’t see the new field anywhere =(

system · July 20, 2017, 2:25pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	1279	July 7, 2023
Pipeline Rules w/ Regex Graylog Central (peer support)	4	209	October 9, 2023
Another try at pipeline rules Graylog Central (peer support) pipeline-rules , debuggingpl	5	1197	August 2, 2017
Parsing Snort Logs w/ Regex Graylog Central (peer support) pipeline-rules	2	1262	June 6, 2020
Can't get this pipeline to work Graylog Central (peer support) pipeline-rules	4	209	December 21, 2023

New at rules, getting NPE

Related Topics