Regex returning unintended sting


I am attempting to use the regex function to extract the status code from a message. The status code is always prefaced with: “GET /”, for e.g:
21 -0500] “GET /” 401 381

I have the following as a rule in my pipeline:
let status = regex(“GET\\s\\/.\\s([0-9]{3})”,to_string($message.message));
set_field(“Status”, status);

However, I get the following as the status:

instead of “GET/” 401

I tested the regular expression on, and it matches the string correctly. I also read this post: Regex pipeline : Get IP from string field, which informed me to escape the “\” characters.

Are there any other quirks to the regex pattern?

(Jesse Hills) #2

Hi @nsookhoo

You could try this and see if it works for you:

Regex: ^.*\"\s(\d{3})

I’ve tested the above against the example you provided in your original post and it appears to parse as intended.

Let me know if it works for you.



Thanks for the reply.
I simply cut and pasted the expression but there was some syntax error:

(Jesse Hills) #4

Please provide the error that is being produce :slight_smile:



Use double escape ín pipeline

(Jesse Hills) #7

Hi again @nsookhoo

Just got back onto my dev system and checked.

The pipeline rule editor doesn’t appear to complain with this regex: ^.*\"\\s(\\d{3})

You can try that however, if that produces strange results, you can also try: ^.*\\\"\\s(\\d{3})


(system) closed #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.