Pipeline Rule with quotation mark

Hello,

in a GELF message which reads like this:
C63C28C45C67FE7-0000000000000017 QuittungsID: DWFENTW-f40c7bc2-b0bb-zzzf-ba6b-399591671e09, DruckauftragID: ZHP-ENTW-729abcb1-6ea0-4b00-fffz-828eb1b1bf8c-1, Message received from Rest-Consumer : {"HEADER":{"ERSTELLUNGS_ZEITPUNKT":"2023-03-10T10:38:31.000036+01:00","SCHNITTSTELLE":"DokumentQuittung","VERSION":1,"HERKUNFT":"DWF","AKTION":"","ORDNUNGSBEGRIFF_TYP":"QuittungsId","ORDNUNGSBEGRIFF":"DWFENTW-f40c7bc2-b0bb-48a8-ba6b-399591671e09","AUSLOESENDER_USER":"effe","AUSLOESENDE_ANWENDUNG":"Documendomm Workflow","UMGEBUNG":"ENTW"},"QUITTUNG":{"STATUS":"OK","STATUS_CODE":4001,"MESSAGE":"Dokument archiviert","ORDNUNGSBEGRIFF_TYP":"DruckauftragID","ORDNUNGSBEGRIFF":"ZHR-ENTW-729abcb1-6ea0-4b00-88a1-828eb1b1bf8c-1","ARCDOCID":"df4ba21da4f45673f9e8c711","CONTENT_REPOSITORY":"CB","AUFTRAG_HERKUNFT":"ZRP"}}

the field StatusCode (4001) should be extracted with a regex expression:

        let m4 = regex(".*\"STATUS_CODE\":([4][0-9]{3}).*", to_string($message.message), ["statusCode"]);
        set_fields(m4); 

But this does not work. How does this regex needs to look like?

Thanks in advance.

Dietmar Schurr

OS Information: openSuse 12.4
Graylog Version: 4.3.12

your : needs to be double escaped

Characters that need to be escaped:

& | : \ / + - ! ( ) { } [ ] ^ " ~ * ?

Also you may want

 set_fields(m4["0"]); 

Thank you very much.

Suddenly, if we use full_message instead of message it works!

Regards,

Dietmar

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.