…Returns a match object, with the boolean property matches to indicate whether the regular expression matched…
but search in forum, they are writing in the following way:
rule “a rule desc”
when
regex(“the-pattern”, to_string($message.message)).matches == true
then
…
end
firstly the $message.message in ES was a text data type which was a data type of string, why we need a type conversion by the function to_string ?
secondly now that the return value of regex(…).matches already a boolean data type, why we need an additional “== true” or to_bool data type conversion?
The type system used in the pipeline rules is really just a very thin layer over the Java type system with some syntactic sugar for specific types (such as String or Number).
Under the hood, $message.message is using the untyped Message#getField(String) method to access the “message” field, which is why you have to explicitly cast it to a String (otherwise it would be Object):
The comparison of the RegexMatchResult.matches property with true is unnecessary because the type is Boolean already, but I’d argue that it makes the intention of the when block more clear.
