Set the fieldname of the set_field function from another function

Hazmes · December 14, 2017, 3:54pm

Hi,

I am currently trying something like this:

rule "extract analysed or failed requests"
When
    has_field("message") AND regex("(\\w*\\sRequests):\\s(\\d*)",to_string($message.message)).matches == true
then
    let m = regex("(\\w*\\sRequests):\\s(\\d*)",to_string($message.message));
    set_field(to_string(m["0"]),to_string(m["1"]));
end

And I want to match a message like this

Failed Requests: 0

This does not work currently, however if I set the field name in the set_field function to an actual string it works.

Is my code wrong or does the function set_field not support field names from anything but a literal string?
If yes, how can I do it then?

jochen · December 14, 2017, 4:01pm

Field names always have to be strings.

system · December 28, 2017, 4:01pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Remove Field That Matches Regular Expression Graylog Central (peer support)	6	1032	August 27, 2019
Referencing fields inside match object Graylog Central (peer support)	4	745	July 17, 2019
Output regex result to a field in a rule Graylog Central (peer support) sidecar , winlogbeat	3	713	September 14, 2018
Split function usage Graylog Central (peer support)	2	1392	April 12, 2018
Basic contain from message field Graylog Central (peer support)	2	345	October 1, 2019

Set the fieldname of the set_field function from another function

Related Topics