Use regular expression for search

Graylog Central (peer support)
1

Hi, I want to use for search regular expression. I want to search Infected files in logs from antimalware solution. The text is “Infected: /number of infected files/”

I read the help, but /[Ii]nfected…[1-9]+/ doesnt work. On the page for test regex text works.

Graylog 5.0.3+a82acb2 on Unknown (Eclipse Adoptium 17.0.6 on Linux 5.10.0-21-amd64)

2

Could you give us an example of the message in the field you are searching for? And the exact search you are trying to run? It would help us to give you a clearer answer.

3

Message:
ASHIELD SymantecServer: Scan ID: 1676038165,Begin: 2023-04-24 09:13:00,End: 2023-04-24 10:14:19,Completed,Duration (seconds): 3679,User1: xxxxxxyyyy,User2: xxxxxxyyyy,Prověřování zahájeno v: všechny jednotky a všechny přípony.,Prověřování Dokončit: Rizika: 1 Prověřeno: 170258 souborů/složek/disků Vynecháno: 0 Přeskočené důvěryhodné soubory: 151783,Command: Not a command scan (),Threats: 1,Infected: 1,Total files: 170258,Omitted: 0,Computer: PC-38,IP Address: XX.XX.XX.XX,Domain: Doman,Group: My Company\Desktops\Desktops Virtual,Server: ASHIELD

Search: message: “Infected: 1” works.
But there can by more infected files than 1. I want to search text “Infected: 1-999999…”.

4

Ah, I see. Regex queries require you to match the whole string, so you ideally wouldn’t want to use a regex query here. The ideal solution is to use pipelines to parse out your message into fields, with the end goal being to have ‘Infected’ as a field rather than a search term.

Once you parse it out, you can do queries like Infected:>0 It’s much cleaner to do this kind of work at ingest time than search time. This also means you can use it in visualisations too.

5

To add to kpearsons reply.

a KV-Parser in a Pipepline Rule should do the trick in this case.

rule "KV-Parser"
when
    has_field("message")
then
    set_fields(
                fields:
                    key_value(
                    value: to_string($message.message), 
                    delimiters: ",",
                    kv_delimiters: ":",
                    trim_value_chars: "",
                    trim_key_chars:""
                    )
            );
end
1 Like
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.