I'm trying to extract a port name from a log message such as this one (copied from my rsyslog permanent archive before it was transfered on into graylog 1.0.1)
*2015-04-13T22:42:19-05:00 10.146.156.20 INFO: Port 1:37 link up, 100Mbps FULL duplex* I want to extract the port name, which in this line is "*1:37*" but nothing, absolutely nothing I've tried has worked. I have no problem extracting that field from lines like: *2015-04-13T11:06:16-05:00 10.144.24.91 INFO: Port 7 link up, 100Mbps FULL duplex* I've tried "Port (\d+)", "Port (\S+)", "Port ([\d\:]+)", "Port (\d+:\d+)", "Port (\d*:?\d+)" and even "Port (.+) link", all with and without ^.+ and .+$ endings, and nothing works. I can always get the port out when it's just digits, but as soon as the input contains a colon, it refuses to match. I've spent two hours trying trick after trick and nothing has worked. I've been writing regexp in perl for decades so I'm pretty confident of my basic understanding of regexps. I've studied the Java documentation as well and don't see any reason why this continues to fail. What really, really is bugging me is that *ALL of those patterns worked fine in the extractor editor test page*, but once I save the extractor and go try to use it, it fails. I'm selecting actual messages out of the input and loading the messages up to test against. The only thing I can think of is that something about the underlying java is puking on the ":" in the content being matched, and it's causing the test to fail. Just for grins, I looked at the indexer page, and I see bunches of this: *MapperParsingException[failed to parse [port]]; nested: NumberFormatException[For input string: "1:3"];* But I have specifically told this extractor to NOT convert the thing to a number. I even tried forcing in a 'lowercase' converter, but that didn't help, either. It appears that the extractor is insisting on converting the field to a number before creating it, despite what I told it to do with the converter settings. I've searched through the group posts here and found the ones where variable white space was an issue; I've checked against the original content (see above) and that isn't the issue. (I tried using \s+, a space, etc, and those made no difference, either.) Can anyone show me a pattern that will properly return a match for *1:37*? And have it properly set the new field? Here's a copy/paste of the extractor as it exists right now, it's giving me port fields with values only when the values are one or more digits. None of them with : are getting set. Trying to extract data from *message* into *port*, leaving the original intact. Configuration: - regex_value: ^.+INFO:\s+Port\s+(\S+)\s.+$ Converters - uppercase Any suggestions would be most welcome. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
