Pipeline Regex Match Group with Escape Character issues


i am using pipelines to parse a specific line of syslog information and use regex to parse through that information, using match groups to add specific information to custom fields

message example: CONF-6-ARM: Rate switch 3761 Mbps,QAM32->4513 Mbps,QAM64 (L:-46, R:-50) From:

i have my regex setup thusly:
^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [A-Z]±[0-9]{1}-[A-Z]+: Rate switch ([0-9]+) [a-zA-Z]+,([a-zA-Z]+[0-9]+)->([0-9]+) [a-zA-Z]+,([a-zA-Z]+[0-9]+) (L:(-[0-9]+), R:(-[0-9]+)) From: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$

this gives me the following match groups (per regex101.com)
|Group 1.|53-57|3761|
|Group 2.|63-68|QAM32|
|Group 3.|70-74|4513|
|Group 4.|80-85|QAM64|
|Group 5.|89-92|-46|
|Group 6.|96-99|-50|

My problem is when entering this into the pipeline rule i want to use to process this type of message i have problems when trying to escape ‘(’ and then use the information immediately after it to populate a match group i get multiple errors starting at “(L:-46” in my message string because that’s a character i need to escape in order to proceed to creating a match group for the information contained in it

pipeline rule:
rule “regex bridgewave modulation event”
regex("^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [A-Z]±[0-9]{1}-[A-Z]+: Rate switch ([0-9]+) [a-zA-Z]+,([a-zA-Z]+[0-9]+)->([0-9]+) [a-zA-Z]+,([a-zA-Z]+[0-9]+) (L:(-[0-9]+), R:(-[0-9]+)) From: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$", to_string($message.message)).matches == true

let results = regex("^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [a-zA-Z]±[0-9]-ARM: Rate switch ([0-9]+) Mbps,(QAM[0-9]+)->([0-9]+) Mbps,(QAM[0-9]+) (L:-[0-9]+, R:-[0-9]+) From: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$", to_string($message.message), [“from_speed_in_mpbs”, “from_qam_rate”, “to_speed_in_mpbs”, “to_qam_rate”]);

i assume there is a syntax issue anyone have any suggestions?

(Jan Doberstein) #2

the problem here is that you need to escape the two fields different. Di you mind opening a bug report over at https://github.com/Graylog2/graylog2-server/issues that the escaping should be the same for both fields?