Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a 
regexp match against the incoming message.  For example (warning, completely 
contrived examples incoming):

incoming message is "foo:bar=10:baz&blah:blah:blah"

I want to do something like:

set %!somevar = <bar>

(why?  Well, I may want to use it in a generic template or other thingsā€¦ I 
don't want to create a specialized template for every possible match)

Now I would normally turn to the property replacer and instead of the above I'd 
do something like this:

%msg:R,ERE,1,DFLT:=(.+):.+&--end%

Which works fine with real properties ($msg, $pri, etc) but not so great with 
user or extended properties like %!somevar as far as I can determine.

You'd think it would be simply something like:

%somevar:R,ERE,1,DFLT:=(.+):.+&--end%

but when I then try to access that variable later on in a template like this:

template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if $!somevar 
== "10" then)

It tells me it's an invalid property (plain old %$somevar% doesn't work either).

I tried various incarnations of:

set $!somevar = <twiddly bits here>;

as well, also with no success.

My question is, first *can* I do this (set an arbitrary user level variable to 
the contents of a regex match) or barring that is there another way I can do 
this?  For the record, I'm doing this for a LOT of different log entries and am 
checking the logs for what we call "beacons".  I do not necessarily want to 
write a slew of different templates based upon the values of these beacons (I 
do various different things with the output depending on the value of the 
beacon) so a purely template approach while possible, is not optimal for my 
situation.

Thanks!

-- Gary F.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to