I distilled my test conf file down to the bare minimum in order to duplicate this error. Here it is.
The file as written causes rsyslog to fail on startup with the aforementioned config file error. If I comment out the property replacer line and the output to /var/log/test.log, it loads fine and in fact matches exactly what I want out of the log stream and dumps the log entries I expect to /var/log/matched.log (albeit the entire line, not the individual line I am matching out. A sample matched log line looks like this: 2013-03-26T18:24:36+00:00 mediacast4 rg_events: 10.244.113.41 - - [26/Mar/2013:18:24:36 +0000] "GET /events?rg_type=2.4.5:info&rg_player_type=standard&rg_publisher=Bluefin&rg_publisher_id=1114&rg_domain_category_id=&rg_domain_id=2b97a9c08a1d2e5b4df7a0ff3edf10e5&rg_page_host_url=Scripting%20Error%20TypeError:%20Unable%20to%20get%20value%20of%20the%20property%20'width':%20object%20is%20null%20or%20undefined&rg_ad_domain_id=null&rg_player_uuid=340a133b-a2d3-44b6-a760-c93020e01e17&rg_video_provider_id=601&rg_video_catalog_id=560&rg_video_index_id=9&rg_guid=bd2054b7-9a9e-42a6-978d-140ae19cc408&rg_session=98accc034b7b9bbb3b74594c002a90cf&rg_counter=81.01%20162%2050&rg_event=jwplayerMediaTime&rg_category=Stream%20Progress&rg_lable=http://videos.realgravity.com/948/content/216513/940835-bd2054b7-9a9e-42a6-978d-140ae19cc408.mp4 HTTP/1.1" 200 0 "http://anomaly.realgravity.com/flash/rg_all.swf"; "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" I am trying to get this part out: rg_counter=81.01%20162%2050 In fact, that's not entirely true… I really only what the "50" from the above and I want that in a property (I'm incrementing a counter in redis based on that). my simplified rsyslog.conf ~~~~~~~~~~~~~ # enable RELP server $ModLoad imrelp $InputRELPServerRun 2514 $WorkDirectory /mnt/ebs/rsyslog_data $template sub_test_template, "foo: %$!foo%\n" if $programname == 'rg_events' then { if $msg contains 'rg_category=Stream%20Progress' and re_match($msg, ".+rg_counter=.+%20.+%20(.{2})&") then { /var/log/matched.log %$!foo:R,ERE,1,DFLT:rg_counter=%20.+%20(.{2})&--end% /var/log/test.log;sub_test_template } } ~~~~~~~~~~~~ I have also tried various permutations of the properly above… I've tried it as "%foo", "%$foo" and "%!foo". -- Gary F. On Mar 26, 2013, at 12:27 AM, Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > On Mon, 2013-03-25 at 17:23 -0700, Gary Foster wrote: >> For the record, this doesn't work. Rsyslog won't even start up. Gives me >> this: >> >> 7349.533941464:7f66c2bd6740: Called LogError, msg: CONFIG ERROR: could not >> interpret master config file '/etc/rsyslog.conf'. >> > can you post the complete template that gives this error, not just the > property replacer expression. I guess this is related to some other part > of the template (or line). > > Rainer >> >> On Mar 21, 2013, at 8:05 AM, Gary Foster <gfos...@realgravity.com> wrote: >> >>>> %$!somevar:R,ERE,1,DFLT:=(.+):.+&--end% >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
