Skip to main content

Regular Expressions for Event Breakers

The most common Event Breaker used in Cribl deals with regular expressions.

Regex Event Breakers are applied continuously to a stream of data. Breaking occurs when a pattern match starts. The Event Breaker consumes and discards the matched text.

Regular Expressions Example

Consider the following stream of data:

this is the first event\nthis is the second event\n...

When a regex of [\n\r]+ is applied to this data stream, it will match the newline characters (\n). Because the regex matches will consume the newline characters, they will be removed, and the first event will be passed to the Routes.

caution

Using regex capture groups (parentheses without modifiers) will cause undesired behavior. They improperly break the stream of data, because they produce secondary matches.

Remember: Anything that matches in the regex is considered an event boundary!

Regex Lookarounds

How would you match an event that spans multiple lines? The answer: Lookarounds. Lookarounds come in four flavors:

  1. Positive lookaheads
  2. Negative lookaheads
  3. Positive lookbehinds
  4. Negative lookbehinds

Lookarounds are non-capturing groups, which mean they won't produce undesirable event boundaries.

Consider the following stream of data:

this is the first event
  this is the second line
  this is the third line
this is the second event
  ...

By using the [\n\r]+ Event Breaker, the second line of the first event would be incorrectly broken to a separate event. By using a negative lookahead, we can modify the regex to match if (and only if) the next line does not begin with a space.

This regex looks like the following:

[\n\r]+(?!\s+)

You can see the negative lookahead defined in the parentheses with the ?! characters. For details, see Lookahead and Lookbehind Zero-Length Assertions.

note
  1. Navigate to Processing > Knowledge.
  2. Click Event Breaker Rules in the left navigation.
  3. Click the blue Add Ruleset button.
  4. In the New Ruleset configuration modal, click the Add Rule button.
  5. Try this Event Breaker by copying and pasting the sample event above into the input section. Click anywhere in the input pane, outside the field labeled Paste your events here or upload a sample file.
  6. Switch the regex between [\n\r]+ and [\n\r]+(?!\s+) in the Event Breaker field, and observe the changing highlighting of the events displayed on the Out tab.
  7. Close all dialogs without saving this Event Breaker. It is not required later in the course.

Conclusion

In this module, we discussed the application of regular expressions to streams of data in Cribl. In the next module, you'll learn more about how to properly extract timestamps from events.