Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RegexMatcher: Pattern always require full string match #35

Closed
tokred opened this issue Jun 2, 2016 · 1 comment
Closed

RegexMatcher: Pattern always require full string match #35

tokred opened this issue Jun 2, 2016 · 1 comment
Milestone

Comments

@tokred
Copy link

@tokred tokred commented Jun 2, 2016

Problem description

Due to wrongly non-matching regex patterns, I noticed an abnormal and inefficient behavior of the current implementation of regex() function: The pattern always has to match on the full string value to return true instead of matching on substrings (next match).

Example: regex(pattern: "^foo", value: "foobar") is a non-match
while regex(pattern: "^foo.*", value: "foobar") is a match.

This contradicts standard regex implementations, leads to unnecessary regex state machine steps (especially for leading greedy .*!) and therefore to inefficient message processing!

Reason: RegexMatch.evaluate() uses java.util.regex.Matcher.matches() instead of next-match find(). Also check out this discussion on the differences.

Steps to reproduce the problem

  1. Create a pipeline rule with a regex when-condition.
  2. Set a pattern which matches a substring of messages, see above. The condition will be false.
  3. Modify the pattern to .*<Pattern>.*. The condition will be true.

Environment

  • Graylog Version: 2.0.2
  • Pipeline Processor plugin version: 1.0.0-beta.4
@kroepke
Copy link
Member

@kroepke kroepke commented Jun 2, 2016

Good point, it was initially modeled after the extractor code which isn't exactly what we wanted here.

I'll fix this for Graylog 2.1/Plugin version 1.1

@kroepke kroepke added this to the 1.0.0 milestone Jun 2, 2016
@kroepke kroepke removed this from the 1.0.0 milestone Jul 29, 2016
@kroepke kroepke removed this from the 1.0.0 milestone Jul 29, 2016
@kroepke kroepke added this to the 1.1.0 milestone Jul 29, 2016
edmundoa added a commit that referenced this issue Aug 17, 2016
Do not force the regular expression pass to `regex()` to match the whole
string.

Fixes #35
edmundoa added a commit that referenced this issue Aug 17, 2016
Do not force regular expressions passed to `regex()` to match the whole
string.

Fixes #35
@kroepke kroepke closed this in #88 Aug 18, 2016
kroepke added a commit that referenced this issue Aug 18, 2016
Do not force regular expressions passed to `regex()` to match the whole
string.

Fixes #35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants