Trouble getting Graylog decorators to work

(Nav) #1

Hi Folks,

I have created graylog pipeline and using it as decorator. I need to extract a field value or the entire field.

The pipeline rule

I don’t see the new update_failure reason field after i apply the decorator. Also, you can see how the original failure reason appears.

(Jan Doberstein) #2

regarding to the docs of the regex function ( ) you would need to access the result with update_failurereason[0].

Match the regular expression in pattern against value. Returns a match object, with the boolean property matches to indicate whether the regular expression matched and, if requested, the matching groups as groups. The groups can optionally be named using the group_names array. If not named, the groups names are strings starting with “0”.

(Nav) #3

Hi Jan,
So I change update_failurereason to update_failurereason[0] in above rule and that would work?

(Jan Doberstein) #4

as the selected group via regex need to be a string it should be update_failurereason["0"] pardon my mistake.


(Nav) #5

pardon me for my ignorance, Does this look right?

rule "function UpdateFailureReason"
let update_failurereason = regex(“Failure Reason:\s+(>?([^\s].*)$)”, to_string($message.full_message));

I still don’t see a new field called FailureReasonUpdated with results from regex function.

(Jan Doberstein) #6

did you checked if your regex works on the input from the field?

(Nav) #7

I am using the same regex with extractor and it works. However in this case i modified the keyword from Logon Type to Failure Reason.

(Nav) #8

Hi Jan, wondering if you see any issues with the rule? it doesn’t seem to work on my end.

(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.