Regex extractor not working

This might be a general regex problem, but I’ve confirmed it works and captures the MAC address on and PowerShell.

Test String
dhcpd[89514]: DHCPDISCOVER from 12:e4:88:ac:cd:12 via em0

Graylog version is 4.0.8.

Hello && Welcome

I did a test using


Maybe give that a try.

Hope that helps

Same result, no good.

With the lack information you are giving us to help troubleshoot your issue not much more I can do for you. It could be the way you confguring your extractors, just not sure.

What more information do you need? It feels like when I use non-capture groups, it fails.

RegEx Tools vs Graylog Matching - Graylog - Graylog Community this indicates to use a site that supports Java Regex.

What does your outcome look like when to test this in Graylog against the message?

Do you just get an error? If so what does the error state?
Or do you get some random field?

Does it Show any information where its trying to extract the information from the message?

Have you seen this? Maybe something here might help.

Looks just like that. Error is that the regex didn’t match.

The MAC regex could be the issue, but it works on multiple platforms. I’m having the same issue with other extractors, far simpler.

I was looking for away to test your message given from above in to Graylog so I could test it out, the only way I can test this is through GROK pattern. But I dont know if you want to go that route. Not sure why its not work for you.

EDIT: So this works in GROK as shown from above

It seems enough retries and you’ll eventually get it to work. Here’s the regex that did it:


I did notice in one of my other ones I picked the wrong field; however, that wasn’t the case in my MAC address extractor.

1 Like

Thanks for sharing, and yeah Ive had problem with this before. Glad you worked it out.

1 Like

Appreciate the help.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.