Did you tried to parse your messages using mmnormalize ? (I know it's still not regexp, but so much lighter ;-)
Philippe Muller On Wed, Mar 20, 2013 at 11:34 PM, Gary Foster <[email protected]>wrote: > Yeah I already know how to set/unset etc (I'm doing that in other places). > Fields won't work because the data I'm getting in is incredibly poorly > structured, and pulling it out via a regex is the most tenable way of doing > it. > > Bear in mind I do subscribe to the philosophy "I've got a problem… I'll > use a regex to solve it! Oh great, now I've got TWO problems!" :) but in > this case based upon the source data it's really the most maintainable > approach. > > I'm moving the data generators to using CEE to generate their events > instead, but that's not a simple transition and in the interim I am looking > for stopgaps. The ability to set a var based upon a regexp extraction is > really what I'm struggling with trying to figure out at this time. > > -- Gary F. > > On Mar 20, 2013, at 2:57 PM, Philippe Muller <[email protected]> > wrote: > > > The syntax is: > > set $!var = "foo"; > > unset $!var; > > (don't forget the trailing ";") > > > > I don't know how to set it from a regex, but if you simply want to split > a > > string based on a delimiter, you can use the field() function. > > For example, you can get the second part of a string delimited by slashes > > ("/") : > > set $!var = field($somevar, 47, 2); > > > > For more information about functions, see > > http://www.rsyslog.com/doc/rainerscript.html > > > > > > Philippe Muller > > > > > > On Wed, Mar 20, 2013 at 10:36 PM, David Lang <[email protected]> wrote: > > > >> Version 7 has added the ability to set variables that you can use later, > >> earlier versions do not have that capability. > >> > >> now, exactly _how_ to set it from a regex is something I would have to > dig > >> further on. > >> > >> David Lang > >> > >> On Wed, 20 Mar 2013, Gary Foster wrote: > >> > >> Date: Wed, 20 Mar 2013 14:30:17 -0700 > >>> From: Gary Foster <[email protected]> > >>> Reply-To: rsyslog-users <[email protected]> > >>> To: rsyslog-users <[email protected]> > >>> Subject: [rsyslog] property replacer and regexps > >>> > >>> > >>> Let's say I want to set an arbitrary variable in my rsyslog.conf based > >>> upon a regexp match against the incoming message. For example > (warning, > >>> completely contrived examples incoming): > >>> > >>> incoming message is "foo:bar=10:baz&blah:blah:**blah" > >>> > >>> I want to do something like: > >>> > >>> set %!somevar = <bar> > >>> > >>> (why? Well, I may want to use it in a generic template or other > things? > >>> I don't want to create a specialized template for every possible match) > >>> > >>> > >>> Now I would normally turn to the property replacer and instead of the > >>> above I'd do something like this: > >>> > >>> %msg:R,ERE,1,DFLT:=(.+):.+&--**end% > >>> > >>> Which works fine with real properties ($msg, $pri, etc) but not so > great > >>> with user or extended properties like %!somevar as far as I can > determine. > >>> > >>> You'd think it would be simply something like: > >>> > >>> %somevar:R,ERE,1,DFLT:=(.+):.+**&--end% > >>> > >>> but when I then try to access that variable later on in a template like > >>> this: > >>> > >>> template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if > >>> $!somevar == "10" then) > >>> > >>> It tells me it's an invalid property (plain old %$somevar% doesn't work > >>> either). > >>> > >>> I tried various incarnations of: > >>> > >>> set $!somevar = <twiddly bits here>; > >>> > >>> as well, also with no success. > >>> > >>> My question is, first *can* I do this (set an arbitrary user level > >>> variable to the contents of a regex match) or barring that is there > another > >>> way I can do this? For the record, I'm doing this for a LOT of > different > >>> log entries and am checking the logs for what we call "beacons". I do > not > >>> necessarily want to write a slew of different templates based upon the > >>> values of these beacons (I do various different things with the output > >>> depending on the value of the beacon) so a purely template approach > while > >>> possible, is not optimal for my situation. > >>> > >>> Thanks! > >>> > >>> -- Gary F. > >>> > >>> ______________________________**_________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >>> > >>> ______________________________**_________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
