Question on data type supported by graylog


(Charles Deng) #1

when i study on how to make a pipeline, i am confused with the data type supported by graylog, for example, as the statements for function regex:

regex(pattern: string, value: string, [group_names: array[string])

…Returns a match object, with the boolean property matches to indicate whether the regular expression matched…

but search in forum, they are writing in the following way:

rule “a rule desc”
when
regex(“the-pattern”, to_string($message.message)).matches == true
then

end

firstly the $message.message in ES was a text data type which was a data type of string, why we need a type conversion by the function to_string ?

secondly now that the return value of regex(…).matches already a boolean data type, why we need an additional “== true” or to_bool data type conversion?


(Jochen) #2

The type system used in the pipeline rules is really just a very thin layer over the Java type system with some syntactic sugar for specific types (such as String or Number).

Under the hood, $message.message is using the untyped Message#getField(String) method to access the “message” field, which is why you have to explicitly cast it to a String (otherwise it would be Object):


The comparison of the RegexMatchResult.matches property with true is unnecessary because the type is Boolean already, but I’d argue that it makes the intention of the when block more clear.


(Charles Deng) #3

Got it. thank you jochen !


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.