Question on data type supported by graylog

cdeng · March 16, 2018, 1:01pm

when i study on how to make a pipeline, i am confused with the data type supported by graylog, for example, as the statements for function regex:

regex(pattern: string, value: string, [group_names: array[string])

…Returns a match object, with the boolean property matches to indicate whether the regular expression matched…

but search in forum, they are writing in the following way:

rule “a rule desc”
when
regex(“the-pattern”, to_string($message.message)).matches == true
then
…
end

firstly the $message.message in ES was a text data type which was a data type of string, why we need a type conversion by the function to_string ?

secondly now that the return value of regex(…).matches already a boolean data type, why we need an additional “== true” or to_bool data type conversion？

jochen · March 16, 2018, 1:35pm

The type system used in the pipeline rules is really just a very thin layer over the Java type system with some syntactic sugar for specific types (such as String or Number).

Under the hood, $message.message is using the untyped Message#getField(String) method to access the “message” field, which is why you have to explicitly cast it to a String (otherwise it would be Object):

github.com

Graylog2/graylog-plugin-pipeline-processor/blob/2.4.3/plugin/src/main/java/org/graylog/plugins/pipelineprocessor/ast/expressions/MessageRefExpression.java#L43


public boolean isConstant() {
    return false;
}


@Override
public Object evaluateUnsafe(EvaluationContext context) {
    final Object fieldName = fieldExpr.evaluateUnsafe(context);
    if (fieldName == null) {
        return null;
    }
    return context.currentMessage().getField(fieldName.toString());
}


@Override
public Class getType() {
    return Object.class;
}


@Override
public String toString() {
    return "$message." + fieldExpr.toString();

github.com

Graylog2/graylog2-server/blob/2.4.3/graylog2-server/src/main/java/org/graylog2/plugin/Message.java#L484-L486


public Object getField(final String key) {
    return fields.get(key);
}

The comparison of the RegexMatchResult.matches property with true is unnecessary because the type is Boolean already, but I’d argue that it makes the intention of the when block more clear.

github.com

Graylog2/graylog-plugin-pipeline-processor/blob/2.4.3/plugin/src/main/java/org/graylog/plugins/pipelineprocessor/functions/strings/RegexMatch.java#L116-L118


public boolean isMatches() {
    return matches;
}

cdeng · March 16, 2018, 1:45pm

Got it. thank you jochen !

Topic		Replies	Views
About data types in graylog and ES Graylog Central (peer support) pipeline-rules	2	2408	April 4, 2018
Pipeline Rule - converted numbers changed to zeros Graylog Central (peer support) pipeline-rules , debuggingpl , sidecar , nxlog , nodatanx	25	3490	September 7, 2023
Help Needed with Graylog Pipeline - Conversion Issue Graylog Central (peer support) pipeline-rules	8	218	July 11, 2024
Changing a field type from string to numeric and mid-setup and past string values Graylog Central (peer support) pipeline-rules , debuggingpl	10	17610	December 13, 2017
Pipeline Rule for Changing Type Based on Port Number Graylog Central (peer support)	5	588	February 10, 2023

Question on data type supported by graylog

Related topics