Regex in rule doesnot work as expected

Hello,

incoming messages look like this:

%IGMP-4-QUERY_DROP_ON_SAT_PORT: igmp [3917] Since router ports on fexes is not supported, dropping queries received on fex interface Eth116/1/6.

Timestamp is already extracted.

Now I want to get the port (Eth116/1/6) and save it as a new field.

This rule gives me errors:

rule "find_igmpport"
when
   (has_field("facility") AND (to_string($message.facility) == "local7")) AND (has_field("level") AND (to_long($message.level) == 4)) AND (has_field("message") AND (regex("^%IGMP-4-QUERY_DROP_ON_SAT_PORT",to_string($message.message)).matches == true))
then
    let result = regex("^%IGMP-4-QUERY_DROP_ON_SAT_PORT.+(Eth.+)\.$", to_string($message.message));
    set_field("IGMPport", result["1"]);
end

What is the problem?
Graylog is version 2.3.2 (2 virt. Appliances)

Thanks in advance;

Dietmar

Which errors do you get?

Even when you get it to work, it is probably slow.

You could try something like
(Eth[\d/]*)
instead for the regex you now use in the let_result line.

And, instead of regex, you could use the “contains” function in the “when” part.

I get the error in the picture.
The regex works in the online Java regex tester.

You need to escape the stray backslash (\) in your string, e. g. "^%IGMP-4-QUERY_DROP_ON_SAT_PORT.+(Eth.+)\\.$".

The strings in the pipeline rules are modeled after Java strings.

Hi Jochen,

thank you very much. Now it works.
But that’s strange to me: The stray backslash is needed to escape the single trailing dot. (.)
That means I need to escape the backslash, which is needed to escape the dot by another backslash??

Regards,

Dietmar

By the way, is it possible to shorten the rule in a way, that only one regex is needed?

That means, can the regex in the when part written in a way, that the result can be used in the then part?

Regards,

Dietmar

Yes, just like in Java strings:
https://docs.oracle.com/javase/9/docs/api/java/util/regex/Pattern.html

No, that’s not possible.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.