> -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > boun...@lists.adiscon.com] On Behalf Of Gary Foster > Sent: Wednesday, March 20, 2013 10:30 PM > To: rsyslog-users > Subject: [rsyslog] property replacer and regexps > > Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a > regexp match against the incoming message. For example (warning, > completely contrived examples incoming): > > incoming message is "foo:bar=10:baz&blah:blah:blah" > > I want to do something like: > > set %!somevar = <bar> > > (why? Well, I may want to use it in a generic template or other things... I > don't want to create a specialized template for every possible match) > > Now I would normally turn to the property replacer and instead of the above > I'd do something like this: > > %msg:R,ERE,1,DFLT:=(.+):.+&--end% > > Which works fine with real properties ($msg, $pri, etc) but not so great with > user or extended properties like %!somevar as far as I can determine. > > You'd think it would be simply something like: > > %somevar:R,ERE,1,DFLT:=(.+):.+&--end%
%$!somevar:R,ERE,1,DFLT:=(.+):.+&--end% > > but when I then try to access that variable later on in a template like this: > > template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if > $!somevar > == "10" then) Mmh... that should work. If not, can you pls post a debug log? This sample may also be useful for you (and it definitely works! ;): http://git.adiscon.com/?p=rsyslog.git;a=blob;f=doc/confsamples/normalization.conf;h=7cfd92ef86964281cd3cea8ff89ac9111c5668be;hb=HEAD > > It tells me it's an invalid property (plain old %$somevar% doesn't work > either). > > I tried various incarnations of: > > set $!somevar = <twiddly bits here>; > > as well, also with no success. > > My question is, first *can* I do this (set an arbitrary user level variable > to the > contents of a regex match) I think there currently is no function to actually extract a regex match (but I may be wrong, cannot look up the code right at the moment). Rainer >or barring that is there another way I can do this? > For the record, I'm doing this for a LOT of different log entries and am > checking the logs for what we call "beacons". I do not necessarily want to > write a slew of different templates based upon the values of these beacons > (I do various different things with the output depending on the value of the > beacon) so a purely template approach while possible, is not optimal for my > situation. > > Thanks! > > -- Gary F. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
