Setting Field Value in Event Definitions Using Regular Expressions

m3nthal · February 28, 2020, 2:44pm

Hi,

I am using Graylog v3.2 and would like to enrich event notification with fields extracted from the original message. Assuming this could be done via Template option that used JMTE syntax, how is it possible to set a value using regular expressions? Official documentation has no examples nor does the JMTE syntax reference.

For example. ${source.messge} contains a string "custom_string='123'". To extract the value of custom_string we could use regex /custom_string='(.*)'/ and then select the second matching group.

Is this possible using the Template? Or there is a better way of doing it?

Thank you.

tmacgbay · February 28, 2020, 3:40pm

I would handle that in a pipeline rule so it was already set up and stored in the stream/elastic before I get to the event notification.

m3nthal · February 28, 2020, 3:41pm

Thank you, will try that.

system · March 13, 2020, 3:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline - set_fields Graylog Central (peer support)	5	1212	August 22, 2018
Graylog Remove Field That Matches Regular Expression Graylog Central (peer support)	6	1036	August 27, 2019
Output regex result to a field in a rule Graylog Central (peer support) sidecar , winlogbeat	3	715	September 14, 2018
Alert processing query Graylog Central (peer support)	4	683	August 1, 2018
Create a field which name is the value from another on Graylog Central (peer support)	4	1084	October 3, 2018

Setting Field Value in Event Definitions Using Regular Expressions

Related Topics