On Mon, Jul 1, 2013 at 2:09 PM, David Blanton <[email protected]> wrote: >> <regex offset="after_prematch">^(\S+) >>: \S(\d+)$</regex> > > Mind if I ask why for the regex offset you would want a space : > space(digital)? >
Because FAILED is not a number. My regex says: ^ - This is the beginning of the string we will look at. The character following this will be the FIRST character. (\S+): - Any non-whitespace string followed by a :. In this case FAILED is what we are looking for. \S - I put this in because of the "-," I don't know if all of your samples will have this or not. In fact, if one of your messages does not have the "-" this regex will not work. (\d+) - any number, in the example you gave 351. $ - Signifies the end of the string. The character to the immediate left of the $ will be the last character in the string. > Wouldn't it be more like <reg>^\d+:\S(\d+)$? > > Also what does the '$' sign mean? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
