Hello
I’ve tried to read up the docs and this forum before posting this but couldn’t find similar issue.
I’m trying to implement a pipeline rule like below to route certain message based on a string.
rule "New_Route"
when
contains(to_string($message.message), "\"source\"\:\"something\"")
then
route_to_stream("new stream");
remove_from_stream("All messages");
end
Now what makes this tricky is that what I’m looking for a string like this "source":"something"
And at the same time we have to put the search substring within double quotes.
So I have to escape the double quotes, but the UI doesn’t let me to save the rule this way and throw an error “Saving rule “undefined” failed with status: There was an error fetching a resource: . Additional information: Not available”
I have tried to put the search substring into single quotes as well but it didn’t work.
Any idea would be appreciated.
you don’t need to escape the colon because it is between the true quotes. once I remove that escape, I am able to save it.
rule "New_Route"
when
contains(to_string($message.message), "\"source\":\"something\"")
then
route_to_stream("new stream");
remove_from_stream("All messages");
end
When you are doing anything in regex/GROK you need to make sure that you escape special characters with a backslash (possibly more than one depending on Graylog scenario) or they will be treated as a command rather than the character they are, right?
. \ + * ? [ ^ ] $ ( ) { } = ! < > | : -
In your case you are defining a string with true double quotes (That’s just what I call them) so the only thing you need to escape is the double quotes that aren’t ending your string. All other “special” characters will be treated as just a part of that string.