Regex Matching in Pipeline or Extractor

ihe · January 13, 2023, 9:04am

I hate regex as much as I love Grok. Why don’t give a try with Groks?
Grokpattern needed beforehand:

DATA_ALL_BUT_SPACE 	[^ ]+
DATA_ALL_BUT_CLOSED_CORNERED_BRACKET 	[^]]+
DATA_ALL_BUT_OPENED_CORNERED_BRACKET	[^[]+

Now build a grok saved as myMagic using those to get the string done:
%{DATA_ALL_BUT_SPACE:source} Hostd: %{DATA_ALL_BUT_OPENED_CORNERED_BRACKET:host}]%{DATA_ALL_BUT_CLOSED_CORNERED_BRACKET:some_id}]

and we have those fields:

{
  "source": "herpa.derpa.corpo.lab",
  "host": "verbose hostd",
  "some_id": "2103629"
}

And not build a pipeline parsing it:

rule "parse_myMagic"
when
  //what ever reason applies
then
  set_fields(
    grok(
      pattern:"^%{myMagic}",
      value:to_string($message.message),
      only_named_captures:true
    )
  );
end

and you should be done.

Topic		Replies	Views
Can't get this pipeline to work Graylog Central (peer support) pipeline-rules	4	242	December 21, 2023
Doubt about Regex on Pipeline Graylog Central (peer support)	2	230	January 18, 2023
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	1469	July 7, 2023
Pipeline regex rule Graylog Central (peer support) pipeline-rules	8	1044	April 23, 2023
Regexing error only in pipelines Graylog Central (peer support)	2	505	December 13, 2018

Regex Matching in Pipeline or Extractor

Related Topics