I have a message field like this:
<174>Nov 19 12:18:38 INFO uvm[0]: {"reason":"FILTER_RULE","appName":"web_filter","requestLine":"GET http://rating.collaboraonline.com","sessionEvent":{"entitled":true,"protocol":6,"hostname":"192.168.10.5","CServerPort":443,"protocolName":"TCP","serverLatitude":33.8697,"localAddr":"192.168.10.5","SServerAddr":"23.88.51.130","remoteAddr":"23.88.51.130","serverIntf":1,"CClientAddr":"192.168.10.5","serverCountry":"US","sessionId":109355565762376,"SClientAddr":"23.23.23.23","clientCountry":"XL","CClientPort":55720,"policyRuleId":0,"timeStamp":"2022-11-19 12:18:37.717","serverLongitude":-118.3693,"clientIntf":13,"policyId":1,"SClientPort":40666,"bypassed":false,"SServerPort":443,"CServerAddr":"23.88.51.130","tagsString":""},"timeStamp":"2022-11-19 12:18:38.075","flagged":true,"blocked":true,"category":"Block HTTPs that is NOT stnd","ruleId":5,"class":"class com.untangle.app.web_filter.WebFilterEvent","categoryId":5}
I am trying to create a regular expression extractor to only pull the flat json itself out from the junk at the beginning of the message.
I have tried ^\[(\{.*\})\]$
, ^(\{.*\})$
, and ^\{.*\}$
. But graylog says it doesnt match, and I’m no good with regex.
I was able to get part of the json out with .*(\{.*\}).*
but that only pulls out the inner section. Is there a way to get the whole thing while still being flexible if there are more or less inner objects?
Can anyone help me here?