Hello I have the following pipeline rule and try to extract a regex match to a field:
when
true == true
then
let result = regex(“utm_source=[A-Za-z0-9]+\s{1}|utm_source=[A-Za-z0-9]+&”,
to_string($message.message));
set_field(“utm_source”, to_string(result[“0”]));
set_field(“full_match”, to_string(result));
set_field(“RULE_EXTRACT_FIELDS”, “confirm_rule_was_processed”);
end
now I tested this string in regex101 and selected java8. I also looked at some documentation from Graylog that I have to escape the \ from \s and ended up with \s to represent \s.
When testing in regex101 the following part of the message:
“?utm_source=financeads&utm_m” had a successful match:
" Match 1 93-115 utm_source=financeads&"
this was copied directly from a processed message where RULE_EXTRACT_FIELDS got successfully set.
my field full_match looks like this with an empty match:
full_match = {}
and utm_source doesn’t get set at all.
so I expect the field “utm_source” to have the value utm_source=financeads&
… but this is not happening. can anyone help me?