New at rules, getting NPE


(João Ciocca) #1

So I’m trying my hand at rules and pipelines. I know how to implement another’s rules (did successfully with ionstorm’s Sysmon threat intel), but I’m having dificulties trying my own. Like this:

rule "test"
when
    has_field("event_app")
then
    let lc_event_app = lowercase(to_string($message.event_app));
    let regexPattern = to_string("\w*\.(\w){3}$");
    let event_app_name = regex(regexPattern,lc_event_app);
    set_fields(event_app_name);
end

Pretty basic - extract and lowercase app names from a full path field. But it gives me NPE when trying to save. What am I doing wrong - that even searching the web I couldn’t find out?


(Jochen) #2

You have to properly escape the backslash ("\") character in your regular expression, e. g. "\\w" instead of "\w".

Related issue (fixed in Graylog 2.3.0):


(João Ciocca) #3

escape inside string… that’s hardcore. Thanks man! It’s working now =)
(edit) at least I thought it was… I still don’t see the new field anywhere =(


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.