Return Group1 from regex not fullmatch

quixter · March 20, 2020, 12:54pm

Hi,

I'm pretty new to both ELK and Filebeat. I'm trying to get a custom field built using a regex value. I'm having to use javascript which seems to be complicating things. I have the following regex .com/([A-Za-z0-9]+)/ it returns .com/clientname/ as a fullmatch and clientname as the group one match. The group 1 match is the desired match for the custom field. Is there a way to do that. Below is what I have in the filebeat yml.

processors:

script:
lang: javascript
id: clientid_regex
source: >
function process(event) {
var cid;
var message;
message=event.Get("message");
if ( cid = message.match(/.com/([A-Za-z0-9]+)//) ) {
event.Put("rcm.clientid", cid);
}
}

shaunak · March 23, 2020, 5:36pm

Hi @quixter, welcome to the Elastic Community Forums!

To extract groups in Javascript I think you'll want to use RegExp.prototype.exec() instead of String.prototype.match(). See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Groups_and_Ranges#Using_groups for an example.

Hope that helps,

Shaunak

quixter · March 23, 2020, 6:03pm

Hi and thanks for the reply. I will explore tat and see if I can figure it out. Been pretty bad at this thing called coding so far.

shaunak · March 23, 2020, 6:50pm

Eh, I'm sure you're doing fine. Computers are hard, and Javascript is harder .

Please post here if you can't get it working. We're here to help!

Shaunak

quixter · April 6, 2020, 1:48pm

I was able to use groups to return it correctly. Simply added [2].

    message=event.Get("message");
    if ( cid = message.match(/.(com)\/([A-Za-z0-9]+)\//)  ) {
      event.Put("rcm.clientid", cid[2]);

system · May 4, 2020, 1:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.