Output regex result to a field in a rule


#1

I know this must be simple but I can’t seem to get my head around it even after going through the documentation many times. Just trying to clean up some windows events and pull some data from a field:

winlogbeat_event_data_MemberName
in this case it contains
CN=Administrator,OU=Domain Users,DC=test,DC=local

I’d like to pull the common name administrator (or whatever user is there) into its own field. I’ve got a rule to perform this:

when
has_field(“winlogbeat_event_id”) AND contains(to_string($message.winlogbeat_event_id), “4728”)
then
let pattern = “CN=([^,]+)”;
let t1 = regex(pattern,to_string($message.winlogbeat_event_data_MemberName));
set_field(“testpattern”, t1[“1”]);
end

I would expect this to set the second match for t1 to the field testpattern but I don’t get any result.

If I use:
set_field(“testpattern”, t1);

I’ll see events containing field testpattern filled with {“0”:“Administrator”}

Unfortunately I’m not fluent enough to figure out what I’m doing wrong. Any help would be appreciated.


(Jan Doberstein) #2

did you tried set_field(“testpattern”, t1[“0”]); as the counting starts at 0 …?


#3

Sorry, last thing I had tried and forgot to pull it out. I get the same result with:

set_field(“testpattern”, t1[“0”]);

I notice graylog is producing an indexer error that reads:
{“type”:“mapper_parsing_exception”,“reason”:“object mapping for [testpattern] tried to parse field [testpattern] as object, but found a concrete value”}


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.