Problems with regular expression extractor for json (prior to json extractor)

I have a message field like this:

<174>Nov 19 12:18:38 INFO  uvm[0]:  {"reason":"FILTER_RULE","appName":"web_filter","requestLine":"GET","sessionEvent":{"entitled":true,"protocol":6,"hostname":"","CServerPort":443,"protocolName":"TCP","serverLatitude":33.8697,"localAddr":"","SServerAddr":"","remoteAddr":"","serverIntf":1,"CClientAddr":"","serverCountry":"US","sessionId":109355565762376,"SClientAddr":"","clientCountry":"XL","CClientPort":55720,"policyRuleId":0,"timeStamp":"2022-11-19 12:18:37.717","serverLongitude":-118.3693,"clientIntf":13,"policyId":1,"SClientPort":40666,"bypassed":false,"SServerPort":443,"CServerAddr":"","tagsString":""},"timeStamp":"2022-11-19 12:18:38.075","flagged":true,"blocked":true,"category":"Block HTTPs that is NOT stnd","ruleId":5,"class":"class","categoryId":5}

I am trying to create a regular expression extractor to only pull the flat json itself out from the junk at the beginning of the message.

I have tried ^\[(\{.*\})\]$, ^(\{.*\})$, and ^\{.*\}$. But graylog says it doesnt match, and I’m no good with regex.

I was able to get part of the json out with .*(\{.*\}).* but that only pulls out the inner section. Is there a way to get the whole thing while still being flexible if there are more or less inner objects?

Can anyone help me here?

Hey @erasedhammer

I seen some similar, perhaps this post might help.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.