Hi Jochen, thanks for the reply.
I'm actually looking for specific messages from different processes.
"Cumbersome" was probably the wrong word to describe using contains(), I
just wanted to be sure I was using the best statements to match messages
before I wrote rules for the whole environment.
A more specific example, if I'm looking to drop the message:
May 30 06:55:37 vega-3 /usr/bin/filebeat[676]: registrar.go:163: Registry
> file updated. 12 states written.
>
I could use either:
rule "Drop Routine filebeat Messages : registrar.go"
when
contains(to_string($message.message), "/usr/bin/filebeat") && contains(
to_string($message.message), "registrar.go") && contains(to_string($message.
message), "Registry file updated") && contains(to_string($message.message),
"states
written")
then
or
rule "Drop Routine filebeat Messages : registrar.go"
when
regex("^.+\\/usr\\/bin\\/filebeat\\[.+\\].+registrar\\.go\\:.+Registry
file updated.+states written\\.", to_string($message.message)).matches
then
(I'm not sure why I have to double-escape but the editor in Graylog makes
me. I'm a bit of a novice so I'm probably missing something)
Aside from being shorter the regex is much more presice. While I dont
expect unintended matches when using contains() I have a much easier time
imagining it happening.
On Monday, May 30, 2016 at 2:29:32 AM UTC-8, Jochen Schalanda wrote:
>
> Hi Chad,
>
> if you're simply looking for "SomeProc" inside the "message" field, why
> not use the contains() function? Why would that be more cumbersome?
>
> Cheers,
> Jochen
>
> On Wednesday, 25 May 2016 23:18:20 UTC+2, Chad Sheets wrote:
>>
>> I'm attempting to drop messages according to regular expressions and was
>> wondering if it can be done with pipelines.
>>
>> Looking at various other sources and reading the docs I came up with
>> something like this:
>>
>> rule "drop via regex"
>> when
>> regex("^.+SomeProc"), to_string($message.message)).matches
>> then
>> drop_message();
>> end
>>
>>
>>
>> however I can't get it to work.
>>
>> I could, alternatively, attempt to use a string of ` contains(...) `
>> though that seems more cumbersome.
>>
>> Please also let me know if I'm going about this the wrong way. I'm
>> attempting to use pipelines over drools since that seems to be the
>> direction graylog is heading.
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/5dd9b101-179d-4d5b-9027-c82d483396e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
