Hi there First I want to say how wonderful the "extractor" webpage is: it's so easy to create AND TEST extractors...
...unfortunately the new pipelines (which I want to use as they are the official future) don't have the same testing capacity. Can someone tell me what's wrong with this rule: it should extract pairs of ipv4 addresses out of any message. The pipeline shows all messages flowing through it, but none "hit" this rule. Conversely, my existing extractor rule that does the same thing (but with different fieldnames) is triggering just fine - so this rule must be broken - but I lack the background in whatever Java-nightmare this is to debug it ;-) rule "function ExtractIPv4Pairs" when regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message)).matches then let pair = regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message),["src","dst"]); set_field("pipeSrcIPv4",to_ip(pair.src)); set_field("pipeDstIPv4",to_ip(pair.dst)); end Thanks PS: it would REALLY help if there were a bunch of sample rules that demonstrated the fundamentals. The one example really doesn't demonstrate enough -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrg%2Ba7ijysDtX5MJAMqtmovLBMCgAZOZep6zNEHYX0h%2BQsw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.