Regex returning unintended sting

Graylog Central (peer support)
1

I am attempting to use the regex function to extract the status code from a message. The status code is always prefaced with: “GET /”, for e.g:
21 -0500] “GET /” 401 381

I have the following as a rule in my pipeline:
let status = regex(“GET\\s\\/.\\s([0-9]{3})”,to_string($message.message));
set_field(“Status”, status);

However, I get the following as the status:
{“0”:“401”}

instead of “GET/” 401

I tested the regular expression on https://regexr.com, and it matches the string correctly. I also read this post: Regex pipeline : Get IP from string field, which informed me to escape the “\” characters.

Are there any other quirks to the regex pattern?

2

Hi @nsookhoo

You could try this and see if it works for you:

Regex: ^.*\"\s(\d{3})

I’ve tested the above against the example you provided in your original post and it appears to parse as intended.

Let me know if it works for you.

Thanks.

3

Thanks for the reply.
I simply cut and pasted the expression but there was some syntax error:
image

4

Please provide the error that is being produce :slight_smile:

5

image
image.png827×258 39.1 KB

6

Use double escape ín pipeline

7

Hi again @nsookhoo

Just got back onto my dev system and checked.

The pipeline rule editor doesn’t appear to complain with this regex: ^.*\"\\s(\\d{3})

You can try that however, if that produces strange results, you can also try: ^.*\\\"\\s(\\d{3})

Thanks.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.