So I am trying to set a field rmq_workload, which would be a int/long, based on if a message contains the string channels open and a total workload of # where “#” is the int value I want in the field.
This is the rule I’ve created, however it just adds the field of rmq_workload with a value of “0” to every message:
rule "RMQ Workload"
when
has_field("message")
then
let grep = regex ("(?:\\bchannels\\sopen\\sand\\sa\\stotal\\sworkload\\sof\\s\\b)([0-9]{1,})",
to_string ( $message.message ));
let rmq_int = to_long(grep["0"]);
set_field ("rmq_workload", rmq_int);
end
Nevermind, figured it out myself. There’s almost certainly some room for improvement in my regex (it always makes my head hurt, but I just needed to be more explicit in my when statement. So the following did what I needed:
rule "RMQ Workload"
when
regex (".*(channels\\sopen\\sand\\sa\\stotal\\sworkload\\sof\\s\\d+)", to_string($message.message)).matches == true
then
let grep = regex ("((?<=channels\\sopen\\sand\\sa\\stotal\\sworkload\\sof\\s)[0-9]{1,})",
to_string ( $message.message ));
let rmq_int = to_long(grep["0"]);
set_field ("rmq_workload", rmq_int);
end
Also, negative lookahead seems a better way to go.
However, if anyone is feeling generous, I’d happily take any improvement suggestions.
you can use regex101.com to figure out your regex. There are always oddities on how one group sees regex from another but this will get you there nearly all the time.
