Yeah I already know how to set/unset etc (I'm doing that in other places). Fields won't work because the data I'm getting in is incredibly poorly structured, and pulling it out via a regex is the most tenable way of doing it.
Bear in mind I do subscribe to the philosophy "I've got a problem… I'll use a regex to solve it! Oh great, now I've got TWO problems!" :) but in this case based upon the source data it's really the most maintainable approach. I'm moving the data generators to using CEE to generate their events instead, but that's not a simple transition and in the interim I am looking for stopgaps. The ability to set a var based upon a regexp extraction is really what I'm struggling with trying to figure out at this time. -- Gary F. On Mar 20, 2013, at 2:57 PM, Philippe Muller <[email protected]> wrote: > The syntax is: > set $!var = "foo"; > unset $!var; > (don't forget the trailing ";") > > I don't know how to set it from a regex, but if you simply want to split a > string based on a delimiter, you can use the field() function. > For example, you can get the second part of a string delimited by slashes > ("/") : > set $!var = field($somevar, 47, 2); > > For more information about functions, see > http://www.rsyslog.com/doc/rainerscript.html > > > Philippe Muller > > > On Wed, Mar 20, 2013 at 10:36 PM, David Lang <[email protected]> wrote: > >> Version 7 has added the ability to set variables that you can use later, >> earlier versions do not have that capability. >> >> now, exactly _how_ to set it from a regex is something I would have to dig >> further on. >> >> David Lang >> >> On Wed, 20 Mar 2013, Gary Foster wrote: >> >> Date: Wed, 20 Mar 2013 14:30:17 -0700 >>> From: Gary Foster <[email protected]> >>> Reply-To: rsyslog-users <[email protected]> >>> To: rsyslog-users <[email protected]> >>> Subject: [rsyslog] property replacer and regexps >>> >>> >>> Let's say I want to set an arbitrary variable in my rsyslog.conf based >>> upon a regexp match against the incoming message. For example (warning, >>> completely contrived examples incoming): >>> >>> incoming message is "foo:bar=10:baz&blah:blah:**blah" >>> >>> I want to do something like: >>> >>> set %!somevar = <bar> >>> >>> (why? Well, I may want to use it in a generic template or other things? >>> I don't want to create a specialized template for every possible match) >>> >>> >>> Now I would normally turn to the property replacer and instead of the >>> above I'd do something like this: >>> >>> %msg:R,ERE,1,DFLT:=(.+):.+&--**end% >>> >>> Which works fine with real properties ($msg, $pri, etc) but not so great >>> with user or extended properties like %!somevar as far as I can determine. >>> >>> You'd think it would be simply something like: >>> >>> %somevar:R,ERE,1,DFLT:=(.+):.+**&--end% >>> >>> but when I then try to access that variable later on in a template like >>> this: >>> >>> template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if >>> $!somevar == "10" then) >>> >>> It tells me it's an invalid property (plain old %$somevar% doesn't work >>> either). >>> >>> I tried various incarnations of: >>> >>> set $!somevar = <twiddly bits here>; >>> >>> as well, also with no success. >>> >>> My question is, first *can* I do this (set an arbitrary user level >>> variable to the contents of a regex match) or barring that is there another >>> way I can do this? For the record, I'm doing this for a LOT of different >>> log entries and am checking the logs for what we call "beacons". I do not >>> necessarily want to write a slew of different templates based upon the >>> values of these beacons (I do various different things with the output >>> depending on the value of the beacon) so a purely template approach while >>> possible, is not optimal for my situation. >>> >>> Thanks! >>> >>> -- Gary F. >>> >>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
