How Do I Append A Wildcard Character To The End Of A Query Variables RegEx?

Grafana
1

This question is scoped to creating query variables and using RegEx expressions to modify the search queries results.

I have a hostname recorded in my ElasticSearch logs in the following form:

ip-10-109-28-254.us-west-2.compute.internal

I’ve written a RegEx to capture only the IP address (including the “ip” prefix).

This is the RegEx: /(ip-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3})/

Which returns: ip-10-109-28-254

This is exactly what I want, however I would also like to append a wildcard character to the end of this string so it now reads:

ip-10-109-28-254*

How do I modify my RegEx to include the * suffix? Is this possible?

Use Case

I’m using RegEx in a Query Variable in Kibana. You are allowed ONE RegEx expression so appending the suffix needs to be done in one expression. I’ll use the value to make ElasticSearch wildcard queries (e.g. host.hotname:$QueryVariableName). This will allow me to do a wildcard search for the hostname.

I’ve tried a variety of combinations and I can get it to work.

Thanks

2

are you trying to add a literal * to the end of your match, or are you asking how to add the * metacharacter to the end of your regex?

in other words, would adding .* to the end of your regex give you the result that you want?

in other words,

(ip-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}).*

now matches:

ip-10-109-28-254.us-west-2.compute.internal
ip-10-109-28-254.us-east-2.compute.internal
ip-10-109-28-254.us-north-2.compute.internal
ip-10-109-28-254.europe.compute.internal
ip-10-109-28-254.2.compute.internal
ip-10-109-28-254.compute.internal

if not, could you help clarify what you’re trying to achieve?

3

Happy Friday!

After I had originally posted this question I tried that combination. It doesn’t work. I think this it becomes part of the pattern that Regex is looking for. I think the way it has to be done is by altering the capturing group. I tried that too, without success.

In the end, what I did was used the “dissect” processor in MetricBeat. I had the problem solved in less that 30 minutes! Looking back, I probably should have done that at the outset.

So now, after using dissect I have a new derived field called “dissect_ipadress”. It works great and it simplifies what I have to do in Grafana. It’s part of my log record now.

What I’d really love to see Grafana add a string functions. RegEx is great, don’t get me wrong. But it would be nice to just have an easy to read function. One example, for instance:

Consider this Lucene query:

fields.Application:MyApp fields.Instance:(strReplace("${FQN}",".us-west-2.compute.internal",""))

Of course, “strReplace” doesn’t exist in Grafana now. But a bunch of string manipulation features would be a nice addition. For example…

Function Name: strReplace(sourceString,stringToReplace,ReplacementValue)
$FQN(Grafana variable containing Fully Qualified Name): ip-10-109-28-254.us-west-2.compute.internal
String to remove from the $FQN: “.us-west-2.compute.internal”
End result: ip-10-109-28-254

In my opinion that’s easier to use than RegEx.

Maybe I should put in a feature request for that if someone hasn’t already?

Thanks for your suggestion though.

4

This topic was automatically closed after 365 days. New replies are no longer allowed.