Regex rule function does not work correctly

[gianluca-valentini]

Problem description

Function regex should return all the occurrences that satisfy the given pattern.
It seems that if we use a regex pattern that should find more then one occurence, the function only returns the first one.

Steps to reproduce the problem

create the following rule:

rule "function Regex Issue"
when
    true
then
let input= "bar foo1 hello foo2";
let pattern ="(foo.)";

let field = regex(pattern, to_string(input));
set_fields(field);

end

My expected result should be:
0: foo1
1:foo2

Instead I get the only 0:foo1 group.

Environment

• Graylog Version: 2.2.3
• Pipeline Processor plugin version:2.2.3
• Elasticsearch Version: docker image: 'elasticsearch:2'
• MongoDB Version: docker image: 'mongo:3'
• Operating System: Docker host: ubuntu
• Browser version: Chrome 57.0.2987.133

[gianluca-valentini]

RegexMatch.zip

I tryed to solve this issue modifying the RegexMatch java class

[kroepke]

Yes, it looks like the matcher only retrieves the first one and not all of them.
I'll need to figure out if changing that will subtly change behavior so that other patterns stop working, but I suspect it won't.

If you'd like to contribute I would like to ask to send pull requests instead of zip files. For unfortunate legal reasons we need to be able to attribute changes and require a signed contributors license agreement (which is automated via pull request on github).

Thanks!

[gianluca-valentini]

Hi kroepke,
I just submitted the pull request (#174).
Thanks
Gianluca