Pipeline Rule Filter Question

ThomasPowers · November 20, 2019, 5:07pm

Hello GL fans,

Simple pipeline rule question

We are trying to filter out messages with certain file paths in them.

This line works:
regex(“EMSAgent.exe”, to_string($message.full_message)).matches == false

But this one, trying to add the folder paths does not (note that the GUI has big red X on the backslashes till I have 4 of them)…

regex(“MaaS360\\Cloud Extender\\EMSAgent.exe”, to_string($message.full_message)).matches == false

All insight is appreciated

Thanks

TP

shoothub · November 21, 2019, 7:41am

You are right, java regex requires four backslashes \\\\ to escape one backslash \

I tried your regex and it works for me:

rule "test"
when
    has_field("full_message") AND regex("MaaS360\\\\Cloud Extender\\\\EMSAgent.exe", to_string($message.full_message)).matches == true
then
    let debug_message = concat("maas: ", to_string($message.full_message));
    debug(debug_message);
    set_field("maas", "MaaS360");
end

Topic		Replies	Views
Regex in pipeline "when" not working Graylog Central (peer support) pipeline-rules , route-to-streampl	1	1855	January 24, 2018
Regex in rule doesnot work as expected Graylog Central (peer support) pipeline-rules	7	1438	October 25, 2017
Creating a pipeline rule with \\ in it Graylog Central (peer support)	2	212	March 22, 2024
New at rules, getting NPE Graylog Central (peer support)	2	738	July 6, 2017
Pipelines with regex and special character Graylog Central (peer support) pipeline-rules , regex-special-charac	6	5116	April 11, 2018

Pipeline Rule Filter Question

Related topics