Regex in rule doesnot work as expected

(Dietmar Schurr) #1


incoming messages look like this:

%IGMP-4-QUERY_DROP_ON_SAT_PORT: igmp [3917] Since router ports on fexes is not supported, dropping queries received on fex interface Eth116/1/6.

Timestamp is already extracted.

Now I want to get the port (Eth116/1/6) and save it as a new field.

This rule gives me errors:

rule "find_igmpport"
   (has_field("facility") AND (to_string($message.facility) == "local7")) AND (has_field("level") AND (to_long($message.level) == 4)) AND (has_field("message") AND (regex("^%IGMP-4-QUERY_DROP_ON_SAT_PORT",to_string($message.message)).matches == true))
    let result = regex("^%IGMP-4-QUERY_DROP_ON_SAT_PORT.+(Eth.+)\.$", to_string($message.message));
    set_field("IGMPport", result["1"]);

What is the problem?
Graylog is version 2.3.2 (2 virt. Appliances)

Thanks in advance;


(Jochen) #2

Which errors do you get?


Even when you get it to work, it is probably slow.

You could try something like
instead for the regex you now use in the let_result line.

And, instead of regex, you could use the “contains” function in the “when” part.

(Dietmar Schurr) #4

I get the error in the picture.
The regex works in the online Java regex tester.

(Jochen) #5

You need to escape the stray backslash (\) in your string, e. g. "^%IGMP-4-QUERY_DROP_ON_SAT_PORT.+(Eth.+)\\.$".

The strings in the pipeline rules are modeled after Java strings.

(Dietmar Schurr) #6

Hi Jochen,

thank you very much. Now it works.
But that’s strange to me: The stray backslash is needed to escape the single trailing dot. (.)
That means I need to escape the backslash, which is needed to escape the dot by another backslash??



(Dietmar Schurr) #7

By the way, is it possible to shorten the rule in a way, that only one regex is needed?

That means, can the regex in the when part written in a way, that the result can be used in the then part?



(Jochen) #8

Yes, just like in Java strings:

No, that’s not possible.

(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.