3

I use graylog 2.0 (http://docs.graylog.org/en/2.0/pages/queries.html) and it's super useful.

I want to refine my full_message search. Currently I'm: - searching graylog for all full_message occurrences of the start of the string - I then export this to excel - Split the text (text to columns) - Apply an autofilter - Filter for any times > 20

search pattern: 

full_message: "Running queue with*"

search text: 

Network Queue: Running queue with id: dd82c225-fab7-44ce-9618-67d1ef332a03 and 1 items
Network Queue: Running queue with id: dd82c225-fab7-44ce-9618-67d1ef332a03 and 5 items
Network Queue: Running queue with id: dd82c225-fab7-44ce-9618-67d1ef332a03 and 25 items
Network Queue: Running queue with id: dd82c225-fab7-44ce-9618-67d1ef332a03 and 200 items

I'm wondering if a better reg search could just list any reccord with items > 20.

e.g. the search string would be

full_message: "Running queue with [insert better regex here]"

Thanks

space_balls
  • 1,383
  • 2
  • 14
  • 29

1 Answers1

1

You can use the pattern

Running queue with id: \S+ and (?:\d{3,}|[3-9]\d|2[1-9])

The final group there allows for either:

  • \d{3,} Any number with three or more digits, or
  • [3-9]\d Any number 30-99, or
  • 2[1-9] Any number 21-29

https://regex101.com/r/ctLvQD/1

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320
  • 1
    thanks, that's amazing. it looks like the query works as expected in reg101 but doesn't appear to work in graylog. Maybe it's the way that elastic search processes the expression? Does this https://www.elastic.co/guide/en/elasticsearch/reference/2.4/query-dsl-regexp-query.html#regexp-syntax make any sense to you? – space_balls Oct 22 '18 at 00:53