Additional followup because I just realized something. I suspect the problem lies in needing to escape the "%" characters inside the regexp. However, I am unable to figure out how to properly escape those characters, although I'm now diving through the online docs in order to figure it out.
-- Gary F. On Mar 26, 2013, at 11:31 AM, Gary Foster <gfos...@realgravity.com> wrote: > I distilled my test conf file down to the bare minimum in order to duplicate > this error. Here it is. > > The file as written causes rsyslog to fail on startup with the aforementioned > config file error. If I comment out the property replacer line and the > output to /var/log/test.log, it loads fine and in fact matches exactly what I > want out of the log stream and dumps the log entries I expect to > /var/log/matched.log (albeit the entire line, not the individual line I am > matching out. > > A sample matched log line looks like this: > > 2013-03-26T18:24:36+00:00 mediacast4 rg_events: 10.244.113.41 - - > [26/Mar/2013:18:24:36 +0000] "GET > /events?rg_type=2.4.5:info&rg_player_type=standard&rg_publisher=Bluefin&rg_publisher_id=1114&rg_domain_category_id=&rg_domain_id=2b97a9c08a1d2e5b4df7a0ff3edf10e5&rg_page_host_url=Scripting%20Error%20TypeError:%20Unable%20to%20get%20value%20of%20the%20property%20'width':%20object%20is%20null%20or%20undefined&rg_ad_domain_id=null&rg_player_uuid=340a133b-a2d3-44b6-a760-c93020e01e17&rg_video_provider_id=601&rg_video_catalog_id=560&rg_video_index_id=9&rg_guid=bd2054b7-9a9e-42a6-978d-140ae19cc408&rg_session=98accc034b7b9bbb3b74594c002a90cf&rg_counter=81.01%20162%2050&rg_event=jwplayerMediaTime&rg_category=Stream%20Progress&rg_lable=http://videos.realgravity.com/948/content/216513/940835-bd2054b7-9a9e-42a6-978d-140ae19cc408.mp4 > HTTP/1.1" 200 0 "http://anomaly.realgravity.com/flash/rg_all.swf"; > "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" > > I am trying to get this part out: > > rg_counter=81.01%20162%2050 > > In fact, that's not entirely true… I really only what the "50" from the above > and I want that in a property (I'm incrementing a counter in redis based on > that). > > my simplified rsyslog.conf > ~~~~~~~~~~~~~ > # enable RELP server > $ModLoad imrelp > > $InputRELPServerRun 2514 > > $WorkDirectory /mnt/ebs/rsyslog_data > > $template sub_test_template, "foo: %$!foo%\n" > > if $programname == 'rg_events' then { > if $msg contains 'rg_category=Stream%20Progress' and re_match($msg, > ".+rg_counter=.+%20.+%20(.{2})&") then { > /var/log/matched.log > %$!foo:R,ERE,1,DFLT:rg_counter=%20.+%20(.{2})&--end% > /var/log/test.log;sub_test_template > } > } > ~~~~~~~~~~~~ > > I have also tried various permutations of the properly above… I've tried it > as "%foo", "%$foo" and "%!foo". > > -- Gary F. > > On Mar 26, 2013, at 12:27 AM, Rainer Gerhards <rgerha...@hq.adiscon.com> > wrote: > >> On Mon, 2013-03-25 at 17:23 -0700, Gary Foster wrote: >>> For the record, this doesn't work. Rsyslog won't even start up. Gives me >>> this: >>> >>> 7349.533941464:7f66c2bd6740: Called LogError, msg: CONFIG ERROR: could not >>> interpret master config file '/etc/rsyslog.conf'. >>> >> can you post the complete template that gives this error, not just the >> property replacer expression. I guess this is related to some other part >> of the template (or line). >> >> Rainer >>> >>> On Mar 21, 2013, at 8:05 AM, Gary Foster <gfos...@realgravity.com> wrote: >>> >>>>> %$!somevar:R,ERE,1,DFLT:=(.+):.+&--end% >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
