Processing rule with regex containing _negative_ lookahead does not save?

Follow
Avatar
Brad Bow

Hi, I can't get a rule with a negative lookahead (?!) to work, I get an error about restricted patterns when trying to save the following regex as an include processing rule:

.*\"\$name\"\s*\:\s*\"(?!xxxx).*

If I remove the ?!, the rule saves successfully.

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Harishwer Selvakumar

    Hello Brad,

    Can you please confirm your use-case?
    Please provide the types of Log messages in the source and the log messages which need to be excluded.

    If you would like to exclude certain logs from ingestion, you can make a positive regex match in an Exclude Rule.
    https://help.sumologic.com/Manage/Collection/Processing-Rules/Include-and-Exclude-Rules

    Thank you

    Regards
    Harishwer Selvakumar
    Customer Success Engineer - Sumo Logic

    0
    Comment actions Permalink
  • Avatar
    Brad Bow

    Hi Harishwer Selvakumar,

    Thanks for the response. Here is what I'm trying to do:

    I have a JSON log payload that is structured like this:

    ```

    {
    "version": "1.0.0",
    "command": {
    "id": "xxxx",
    "description": "a thing happened",
    "$name": "foo/bar"
    },
    "links": []
    }

    ```

    I want to exclude logs of this format from ingestion into Sumo under the following conditions:

    • the `command.id` field is anything other than 'xxxx' AND
    • the `command.$name` field is 'foo/bar'

    The regex I'm trying to set as an exclude rule is:

    .*\"command\"\s*\:\s*{[^}]*\"id\"\s*\:\s*\"(?!xxxx).*\"\$name\"\s*\:\s*\"foo\/bar\".*

    This should match the following JSON logs:

    { "version": "1.0.0", "command": { "id": "yyyy", "description": "a thing happened", "$name": "foo/bar" }, "links": [] }

    { "version": "1.0.0", "command": { "id": "yyyy", "description": "a thing happened", "$name": "foo/bas" }, "links": [] }

    This should not match the following JSON logs:

    { "version": "1.0.0", "command": { "id": "xxxx", "description": "a thing happened", "$name": "foo/bas" }, "links": [] }

    { "version": "1.0.0", "command": { "id": "xxxx", "description": "a thing happened", "$name": "foo/bar" }, "links": [] }

    Here is a link you can use to play with the regex and the payload: https://regex101.com/r/oKmN0K/3. I'm farily sure the regex is right, but I can not save it when adding it as a processing rule. Is it possible that you don't support the negative lookahead (i.e. the (?!xxxx) part of the regex)? If so, do you know of another way I could achieve what I've described above?

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post