Regex Pipeline Assistance

PaulRegan · July 24, 2019, 5:00pm

Trying to construct a rule to match [cb/sl]-srv-[1-#]

rule "identify servers"
when
has_field("source") AND to_bool(regex(("/\b(cb|sl)-srv-cas\\d*\b/ gmi"), 
to_string($message.source)).matches == true)
end

I have checked the regex part, which works, but having trouble with the syntaxt I think.

Advice welcome

jaikumarkrishna · July 25, 2019, 4:50am

Hi ,
Try this

\[cb\/sl]\-srv\-\[[\d+]\-\#\]

Tested http://grokconstructor.appspot.com/do/match#result working fine

jan · July 25, 2019, 12:28pm

you need to escape / and \ in regex - and possible double escape to make this work

system · August 8, 2019, 12:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex Help / Pipeline Graylog Central (peer support)	2	350	August 3, 2019
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	2771	August 25, 2019
Regex in Search Field Graylog Central (peer support)	6	1079	September 20, 2018
Pipeline Rule not working - Source replace with grok Graylog Central (peer support) pipeline-rules	10	1260	July 22, 2021
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	1312	July 7, 2023

Regex Pipeline Assistance

Related Topics