Regex works for search but not stream

Graylog Central (peer support)
1

Hi All,

I’ve just setup a new graylog server and am trying to create a new stream for our domain controller event logs. Our domain controllers have a specific format: eg: ENF-DC01.COMPANY. COM or AST-DC1.COMPANY. COM (we have 15 in total)

so i’ve created a new rule under a stream where source should match the regex:

.{4}(dc01 |DC01|dc1|DC1)(.company.com|.COMPANY. COM)

I’ve verified that this regex works using online generators and it also works if i search all messages using:

source: /.{4}(dc01 |DC01|dc1|DC1)(.company.com|.COMPANY. COM)/

But the stream just doesn’t seem to match any logs. When i load a message to test the rule it says:

“This message would not be routed to this stream”

I dont understand why the regex works in a search but not a stream.

Any help would be appreciated. Thanks

2

Hi @mahesh.khetani

Try escaping the ‘.’ characters in your regular expression.

So, your regex should become something like:

.{4}(dc01 |DC01|dc1|DC1)(\.company\.com|\.COMPANY\.COM)

Thanks.

2 Likes
3

Bingo!

Sending you a virtual hi-5 Jesse, ive been racking my brains out for the past couple of days.

Many Thanks

1 Like
4

Success.

It did appear that the original regex you posted (minus the space infront of the last .com) did parse correctly and match as expected but, after testing in another parser - It failed.

It’s always best to be as exact as you can with your regex otherwise you can encounter strange things such as this :stuck_out_tongue:

Remember to mark a response as a solution so people can see that the thread has resolution.

Thanks

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.