Regex Replace Extractor or Pipeline?

Is it possible to run a regex replace on a field being imported and create a new field with the result? My log has SQL statements in them, I can extract them but I’d also like to create a collapsed or generic version in order to aggregate the statement i.e. I want to replace quoted strings and numbers/dates in the string to identify a statement that appears repeatedly but with different query values.

For example:
SELECT * FROM EMP WHERE EMPLOYEE=‘CHRIS’ AND STATUS=1
and
SELECT * FROM EMP WHERE EMPLOYEE=‘FRED’ AND STATUS=2

Would both be captured but also a n additional “collapsed” version would be created such as:
SELECT * FROM EMP WHERE EMPLOYEE=’’ AND STATUS=

I have a regex to do the replace, I’m just not sure how to put this in to graylog, my aim is that I know that the equivalent statement was found twice in my log files.

Chris.

I realized I may not have been clear, I have an extractor (regex replace) that identifies and extracts the SQL statement, what I don’t understand is how I can collapse the strings/numbers in that - are there any examples of what I can put in the “replacement” field to accomplish this?

In Python for example I have previously used something like re,sub(r"’.*’","",myField) to replace all of the strings.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.