Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a regexp match against the incoming message. For example (warning, completely contrived examples incoming):
incoming message is "foo:bar=10:baz&blah:blah:blah" I want to do something like: set %!somevar = <bar> (why? Well, I may want to use it in a generic template or other thingsā¦ I don't want to create a specialized template for every possible match) Now I would normally turn to the property replacer and instead of the above I'd do something like this: %msg:R,ERE,1,DFLT:=(.+):.+&--end% Which works fine with real properties ($msg, $pri, etc) but not so great with user or extended properties like %!somevar as far as I can determine. You'd think it would be simply something like: %somevar:R,ERE,1,DFLT:=(.+):.+&--end% but when I then try to access that variable later on in a template like this: template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if $!somevar == "10" then) It tells me it's an invalid property (plain old %$somevar% doesn't work either). I tried various incarnations of: set $!somevar = <twiddly bits here>; as well, also with no success. My question is, first *can* I do this (set an arbitrary user level variable to the contents of a regex match) or barring that is there another way I can do this? For the record, I'm doing this for a LOT of different log entries and am checking the logs for what we call "beacons". I do not necessarily want to write a slew of different templates based upon the values of these beacons (I do various different things with the output depending on the value of the beacon) so a purely template approach while possible, is not optimal for my situation. Thanks! -- Gary F. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
