Regex rule function does not work correctly

gianluca-valentini commented 7 years ago

Problem description

Function regex should return all the occurrences that satisfy the given pattern. It seems that if we use a regex pattern that should find more then one occurence, the function only returns the first one.

Steps to reproduce the problem

create the following rule:

rule "function Regex Issue"
when
    true
then
let input= "bar foo1 hello foo2";
let pattern ="(foo.)";

let field = regex(pattern, to_string(input));
set_fields(field);

end

My expected result should be: 0: foo1 1:foo2

Instead I get the only 0:foo1 group.

Environment

Graylog Version: 2.2.3
Pipeline Processor plugin version:2.2.3
Elasticsearch Version: docker image: 'elasticsearch:2'
MongoDB Version: docker image: 'mongo:3'
Operating System: Docker host: ubuntu
Browser version: Chrome 57.0.2987.133

gianluca-valentini commented 7 years ago

RegexMatch.zip

I tryed to solve this issue modifying the RegexMatch java class

kroepke commented 7 years ago

Yes, it looks like the matcher only retrieves the first one and not all of them. I'll need to figure out if changing that will subtly change behavior so that other patterns stop working, but I suspect it won't.

If you'd like to contribute I would like to ask to send pull requests instead of zip files. For unfortunate legal reasons we need to be able to attribute changes and require a signed contributors license agreement (which is automated via pull request on github).

Thanks!

gianluca-valentini commented 7 years ago

Hi kroepke, I just submitted the pull request (#174). Thanks Gianluca

Graylog2 / graylog-plugin-pipeline-processor