Processing rule with regex containing _negative_ lookahead does not save?



  • Avatar
    Harishwer Selvakumar

    Hello Brad,

    Can you please confirm your use-case?
    Please provide the types of Log messages in the source and the log messages which need to be excluded.

    If you would like to exclude certain logs from ingestion, you can make a positive regex match in an Exclude Rule.

    Thank you

    Harishwer Selvakumar
    Customer Success Engineer - Sumo Logic

    Comment actions Permalink
  • Avatar
    Brad Bow

    Hi Harishwer Selvakumar,

    Thanks for the response. Here is what I'm trying to do:

    I have a JSON log payload that is structured like this:


    "version": "1.0.0",
    "command": {
    "id": "xxxx",
    "description": "a thing happened",
    "$name": "foo/bar"
    "links": []


    I want to exclude logs of this format from ingestion into Sumo under the following conditions:

    • the `` field is anything other than 'xxxx' AND
    • the `command.$name` field is 'foo/bar'

    The regex I'm trying to set as an exclude rule is:


    This should match the following JSON logs:

    { "version": "1.0.0", "command": { "id": "yyyy", "description": "a thing happened", "$name": "foo/bar" }, "links": [] }

    { "version": "1.0.0", "command": { "id": "yyyy", "description": "a thing happened", "$name": "foo/bas" }, "links": [] }

    This should not match the following JSON logs:

    { "version": "1.0.0", "command": { "id": "xxxx", "description": "a thing happened", "$name": "foo/bas" }, "links": [] }

    { "version": "1.0.0", "command": { "id": "xxxx", "description": "a thing happened", "$name": "foo/bar" }, "links": [] }

    Here is a link you can use to play with the regex and the payload: I'm farily sure the regex is right, but I can not save it when adding it as a processing rule. Is it possible that you don't support the negative lookahead (i.e. the (?!xxxx) part of the regex)? If so, do you know of another way I could achieve what I've described above?



    Comment actions Permalink

Please sign in to leave a comment.