Regex search not working?

luckman212 · May 20, 2025, 12:40pm

Graylog beginner here. I have a single-node 6.2.2 instance (opensearch) set up and working.

I’m trying to search for messages using a regex. For example:

Actual message field stored in db:

sw02-desk 942a6f4e4a66,USW-Flex-2.5G-5-2.1.8.971: TLS-S: Starting TLS server on port 22. free_heap 137815

Search: message:/starting.*port/

This yields NO results. However, when I search for just message:/starting/ I do find the messages (plust a lot more that I don’t want).

I have tried:

message: /starting.*port/
message:/starting.*port/      << no space after fieldname
message: /Starting.*port/     << case sensitive?
message: /.*starting.*port.*/
message: /starting*port/

Even regular string globs are not working

message: "starting*port"

I have no idea why this isn’t working. Some sort of database/index configuration problem?

ihe · May 20, 2025, 1:23pm

Hi,
with your regex you define the message to start with “starting”. give

message:/.*Starting.*port.*/

a chance. This query is highly wasting CPU, as it has three wildcards in it.

luckman212 · May 20, 2025, 1:37pm

If you look at my original post you will see that I tried that query already (it’s the 4th one down) and it does not work.

frantz · May 26, 2025, 12:32pm

Your regex would work with another field, but the message field is quite different, it is a different OpenSearch analyzer, so the field is not parsed like others.

It is not a regex but I think you can try:

message:"Starting TLS server on port"

luckman212 · May 26, 2025, 3:16pm

Thanks but we’re getting off course of the original question: Is it possible to search the message field somehow using regex? How can it be done? If the answer is “no” I am a bit perplexed how to properly slice and dice this large data set, do we need to use another external tool?

ihe · June 2, 2025, 3:46pm

I’d suggest to copy that field “message” into another field and do the regex there? A pipeline with a little rule will do the job.

As there are other relevant information in that message I’d recommend to parse the whole message into different fields:
source:sw02-desk
id:942a6f4e4a66
don’t_know:USW-Flex-2.5G-5-2.1.8.971
service:TLS-S
source_port:22
free_heap:137815
event_action:“starting TLS Server”

If it is parsed like this you just could search for event_action:“starting TLS Server” and have the correct result.

luckman212 · June 3, 2025, 12:26am

Thanks. I admit I really don’t understand “why” I have to duplicate the message field to another field just so I can regex search on it. Is this expected? What are other people doing for complex searching? Everyone is making custom pipelines and duplicating the data? Or am I “doing it wrong” here? Trying to learn so please excuse my ignorance.

ihe · June 6, 2025, 9:35am

Having things properly parsed in different fields allows you to fill your aggregations with the results. This needs to be done during the processing of the logs and can not be done afterwards.
Opensearch, the database for the logs, has some special properties on some fields. For you own fields you might adjust those propertied in the “Index Set Field Type Profiles”.

Topic		Replies	Views
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	1089	October 14, 2019
Regex search in message field Graylog Central (peer support)	4	1434	February 23, 2021
Searching with regexp in graylog does not yield anything Graylog Central (peer support)	21	23163	May 8, 2019
Regex in Search Field Graylog Central (peer support)	6	1558	September 20, 2018
Regex works for search but not stream Graylog Central (peer support)	4	1384	January 31, 2019

Regex search not working?

Related topics