Version 7 has added the ability to set variables that you can use later, earlier
versions do not have that capability.
now, exactly _how_ to set it from a regex is something I would have to dig
further on.
David Lang
On Wed, 20 Mar 2013, Gary Foster wrote:
Date: Wed, 20 Mar 2013 14:30:17 -0700
From: Gary Foster <gfos...@realgravity.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: [rsyslog] property replacer and regexps
Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a
regexp match against the incoming message. For example (warning, completely
contrived examples incoming):
incoming message is "foo:bar=10:baz&blah:blah:blah"
I want to do something like:
set %!somevar = <bar>
(why? Well, I may want to use it in a generic template or other things? I
don't want to create a specialized template for every possible match)
Now I would normally turn to the property replacer and instead of the above I'd
do something like this:
%msg:R,ERE,1,DFLT:=(.+):.+&--end%
Which works fine with real properties ($msg, $pri, etc) but not so great with
user or extended properties like %!somevar as far as I can determine.
You'd think it would be simply something like:
%somevar:R,ERE,1,DFLT:=(.+):.+&--end%
but when I then try to access that variable later on in a template like this:
template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if $!somevar ==
"10" then)
It tells me it's an invalid property (plain old %$somevar% doesn't work either).
I tried various incarnations of:
set $!somevar = <twiddly bits here>;
as well, also with no success.
My question is, first *can* I do this (set an arbitrary user level variable to the
contents of a regex match) or barring that is there another way I can do this? For the
record, I'm doing this for a LOT of different log entries and am checking the logs for
what we call "beacons". I do not necessarily want to write a slew of different
templates based upon the values of these beacons (I do various different things with the
output depending on the value of the beacon) so a purely template approach while
possible, is not optimal for my situation.
Thanks!
-- Gary F.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
