On Mon, Oct 22, 2012 at 11:57 AM, brian <[email protected]> wrote: > Hello – > > We are attempting to parse a custom application log and running into issues > with this. Here is a sample of the log: > > [Thu Oct 18 13:41:48 2012] [ ERROR] [ integer] [servername] > [/path/to/file.extension::165] Failed to create event (mac_address) > > Two attempts have been made at alerting/parsing the log, which are below: > > <decoder name="sts"> > > <prematch>^[(\.+)] [(\.+)] [(\.+)] [(\.+)] [(\.+)] Failed to create > event</prematch> >
I don't think prematch uses regex. > <regex offset="after_prematch">^[(\.+)] [(\.+)] [(\.+)] [(\.+)] > [(\.+)] Failed to create event (\.+)$</regex> > If the prematch actually worked, the regex would start looking at (thanks to the offset) " (mac_address)." So this regex is wrong. > <order>extra_data</order> > Not enough entries here. > </decoder> > > The other attempt was with this: > > <decoder name="sts"> > > > <prematch>^\[(.*?)\]\s*\[(.*?)\]\s*\[(.*?)\]\s*\[(.*?)\]\s*\[(.*?)\]\s*(.*?)$</prematch> > > </decoder> > This one is all sorts of wrong. > Any ideas as to why these are not working? > > Thanks in advance. > > -Brian
