Use Contains in a pipeline rule with double quote

Hello
I’ve tried to read up the docs and this forum before posting this but couldn’t find similar issue.
I’m trying to implement a pipeline rule like below to route certain message based on a string.

rule "New_Route"
when
    contains(to_string($message.message), "\"source\"\:\"something\"")
then
    route_to_stream("new stream");
    remove_from_stream("All messages");
end

Now what makes this tricky is that what I’m looking for a string like this "source":"something"
And at the same time we have to put the search substring within double quotes.
So I have to escape the double quotes, but the UI doesn’t let me to save the rule this way and throw an error “Saving rule “undefined” failed with status: There was an error fetching a resource: . Additional information: Not available”
I have tried to put the search substring into single quotes as well but it didn’t work.
Any idea would be appreciated.

you don’t need to escape the colon because it is between the true quotes. once I remove that escape, I am able to save it.

rule "New_Route"
when
    contains(to_string($message.message), "\"source\":\"something\"")
then
    route_to_stream("new stream");
    remove_from_stream("All messages");
end
1 Like

Thanks, seemed it worked. However I still don’t understand why ( what does true quote means here) , sorry for noob question .

When you are doing anything in regex/GROK you need to make sure that you escape special characters with a backslash (possibly more than one depending on Graylog scenario) or they will be treated as a command rather than the character they are, right?

. \ + * ? [ ^ ] $ ( ) { } = ! < > | : -

In your case you are defining a string with true double quotes (That’s just what I call them) so the only thing you need to escape is the double quotes that aren’t ending your string. All other “special” characters will be treated as just a part of that string.

2 Likes

Thanks alot for your help :pray:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.