Syslog data routing using match()

Hello,
Hoping to get a clarification on using _raw.match function in a data router, similar to the solution posted here: Syslog Best Practices | Cribl Docs
In the linked article, the match function is used without a regex, and doesn’t seem to require any further logic, such as:
raw.match('TRAFFIC')

However, when using a RegEx, it appears that additional logic is needed, such as:
_raw.match(/TRAFFIC/i)!=null
(as shown in this post: What’s the best way to add a filter for hosts where I only know that they are going to contain a certain string, but not know if the case, or if they are FQ? _raw.match?)

Is my understanding correct, that using a string match doesn’t require any additional test, but using regex does? If so, may I suggest the documentation example I linked be updated to show the use of RegEx please?

2 UpGoats

As long as the expression returns ‘true-like’ the event will match. My recommendation for this sort of test is to use the Regex.test() method instead as it uses fewer resources:

/your.*regex.*here/.test(_raw)

EDIT: To be clear _raw.match(/TRAFFIC/i) will work fine. You don’t need any comparison operators. If it doesn’t match it returns null which will equate to false. If it does match, the return value will cause the expression to return true.

2 UpGoats

Thanks, I must have had a problem with my regex earlier, works fine now.

1 UpGoat

Assuming output=true, do you keep source field as _raw to match the test output?

Can you clarify your question?

Yes, I have a filter in regex extract. I then call a regex command. Will the regex command automatically extract from the filter or do I need to declare the new source field?

Filter Expressions are only evaluated as true/false. The expressions inside the function do not have access to the Filter’s returned values.

How do you call a source field that is being created by the regex filter?

Filter Expressions do not create fields.