I added this Github issue so you can track the issue I mentioned in point number 2: https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/46
Cheers, Edmundo > On 18 Jul 2016, at 10:51, Edmundo Alvarez <[email protected]> wrote: > > I spent some time debugging the issue, and I found two of them: > > 1. The when expression should be wrapped in a "to_bool" function, otherwise > the parser gets confused about it and replaces it with "false": > > to_bool(regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message)).matches) > > 2. There seems to be some problems when handling strings containing > backslashes. You need to escape them so they get parsed, but then the escape > character is still being used in the regular expression. I will investigate > further and keep you posted on that. > > Cheers, > Edmundo > >> On 13 Jul 2016, at 12:31, Jason Haar <[email protected]> wrote: >> >> >> On Mon, Jul 11, 2016 at 11:28 AM, Jason Haar <[email protected]> wrote: >> If I take the regex I wrote in this rule (as per first email), replace '\\' >> with '\', then the regex works fine via egrep. It's a simple "when, do this" >> type statement: I can't see what's gone wrong in it >> >> Oh - and thanks to your comment about the regex needing to match the entire >> line, I put ".*" at the beginning and end - but it made no difference. Still >> no Cisco syslog messages (as above) match >> >> >> -- >> Cheers >> >> Jason Haar >> Information Security Manager, Trimble Navigation Ltd. >> Phone: +1 408 481 8171 >> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Graylog Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/CAFChrgJZng%2Bzc-iZ%2Bv73%2Bd8Q6YatVATaDtj2R%3Dd7sR9iXZfbHQ%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/BA27A691-42D6-46BD-80B5-988211F400B3%40graylog.com. For more options, visit https://groups.google.com/d/optout.
