New at rules, getting NPE

So I’m trying my hand at rules and pipelines. I know how to implement another’s rules (did successfully with ionstorm’s Sysmon threat intel), but I’m having dificulties trying my own. Like this:

rule "test"
    let lc_event_app = lowercase(to_string($message.event_app));
    let regexPattern = to_string("\w*\.(\w){3}$");
    let event_app_name = regex(regexPattern,lc_event_app);

Pretty basic - extract and lowercase app names from a full path field. But it gives me NPE when trying to save. What am I doing wrong - that even searching the web I couldn’t find out?

You have to properly escape the backslash ("\") character in your regular expression, e. g. "\\w" instead of "\w".

Related issue (fixed in Graylog 2.3.0):

1 Like

escape inside string… that’s hardcore. Thanks man! It’s working now =)
(edit) at least I thought it was… I still don’t see the new field anywhere =(

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.