So $! definitely works. However I'm seeing some strange behavior with re_extract()
Using: set $!errorlevel = re_extract($msg, "^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)", 1, 0); I get the error: Reading a token: 6314.691436419:7f892e452740: Called LogError, msg: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '"' in expression - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '"' in expression - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] 6314.691454673:7f892e452740: Called LogError, msg: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '^' in expression - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '^' in expression - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] Next token is token '(' () Shifting token '(' () Entering state 40 Reading a token: 6314.691491894:7f892e452740: Called LogError, msg: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '.' in expression - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid character '.' in expression - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] Next token is token '*' () 6314.691511476:7f892e452740: Called LogError, msg: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax error on token '*' rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax error on token '*' [try http://www.rsyslog.com/e/2207 ] -- James ________________________________________ From: [email protected] [[email protected]] On Behalf Of David Lang [[email protected]] Sent: Wednesday, September 18, 2013 3:15 PM To: rsyslog-users Subject: Re: [rsyslog] Local Variables Usage Question $. local files are processed for each message as well it's the global variables (also requiring 7.5.3) that persist from one message to another. David Lang On Wed, 18 Sep 2013, Boylan, James wrote: > Ah. That would make sense. I will try with $! Then. Assuming that it is > processed for each message. > > -- sent from mobile -- > > ----- Reply message ----- > From: "Rainer Gerhards" <[email protected]> > To: "rsyslog-users" <[email protected]> > Subject: [rsyslog] Local Variables Usage Question > Date: Wed, Sep 18, 2013 3:06 pm > > > > I think local vars require 7.5 > > Sent from phone, thus brief. > Am 18.09.2013 22:04 schrieb "Boylan, James" <[email protected]>: > >> 7.4.4 >> >> --James >> >> -- sent from mobile -- >> >> ----- Reply message ----- >> From: "Rainer Gerhards" <[email protected]> >> To: "rsyslog-users" <[email protected]> >> Subject: [rsyslog] Local Variables Usage Question >> Date: Wed, Sep 18, 2013 2:45 pm >> >> >> >> Which rsyslog version? >> >> Sent from phone, thus brief. >> Am 18.09.2013 21:38 schrieb "Boylan, James" <[email protected]>: >> >>> That would be great. >>> >>> Now that you have pointed it out I suspect it is the function >> re_extract(). >>> >>> However I can't seem to get it to be happy with what I'm placing into it. >>> >>> set $.errorlevel = re_extract($msg, >>> "^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)",1,0); >>> >>> results with: >>> >>> Next token is token SET () >>> Shifting token SET () >>> Entering state 8 >>> Reading a token: 2942.763234538:7f8d47254740: Called LogError, msg: error >>> during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before >>> line 36: invalid character '$' in expression - is there an invalid escape >>> sequence somewhere? >>> rsyslogd: error during parsing file >> /etc/rsyslog.d/rsyslog-port21516.conf, >>> on or before line 36: invalid character '$' in expression - is there an >>> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >>> 2942.763249065:7f8d47254740: Called LogError, msg: error during parsing >>> file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid >>> character '.' in expression - is there an invalid escape sequence >> somewhere? >>> rsyslogd: error during parsing file >> /etc/rsyslog.d/rsyslog-port21516.conf, >>> on or before line 36: invalid character '.' in expression - is there an >>> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >>> Next token is token FUNC () >>> 2942.763276314:7f8d47254740: Called LogError, msg: error during parsing >>> file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax >>> error on token 'errorlevel' >>> rsyslogd: error during parsing file >> /etc/rsyslog.d/rsyslog-port21516.conf, >>> on or before line 36: syntax error on token 'errorlevel' [try >>> http://www.rsyslog.com/e/2207 ] >>> Error: popping token SET () >>> Stack now 0 1 >>> Error: popping nterm conf () >>> Stack now 0 >>> Cleanup: discarding lookahead token FUNC () >>> Stack now 0 >>> 2942.763322066:7f8d47254740: Called LogError, msg: CONFIG ERROR: could >> not >>> interpret master config file '/etc/rsyslog.d/rsyslog-port21516.conf'. >>> rsyslogd: CONFIG ERROR: could not interpret master config file >>> '/etc/rsyslog.d/rsyslog-port21516.conf'. [try >>> http://www.rsyslog.com/e/2207 ] >>> 2942.763336393:7f8d47254740: GenerateLocalHostName uses 'xxxxxx' >>> rsyslogd: run failed with error -2207 (see rsyslog.h or try >>> http://www.rsyslog.com/e/2207 to learn what that number means) >>> >>> James T. Boylan >>> Senior Systems Engineer * Orbitz Worldwide >>> 500 W. Madison St. * Suite 1000 * Chicago, IL 60661 >>> Office: 312-260-2378 * Mobile: 312-863-9134 >>> >>> This email and any files transmitted with it are confidential and >> intended >>> solely for the use of the individual or entity to whom they are >> addressed. >>> If you have received this email in error please notify the system >> manager. >>> This message contains confidential information and is intended only for >> the >>> individual named. If you are not the named addressee you should not >>> disseminate, distribute or copy this e-mail. Please notify the sender >>> immediately by e-mail if you have received this e-mail by mistake and >>> delete this e-mail from your system. If you are not the intended >> recipient >>> you are notified that disclosing, copying, distributing or taking any >>> action in reliance on the contents of this information is strictly >>> prohibited. >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto: >>> [email protected]] On Behalf Of Rainer Gerhards >>> Sent: Wednesday, September 18, 2013 2:13 PM >>> To: rsyslog-users >>> Subject: Re: [rsyslog] Local Variables Usage Question >>> >>> No, but you can't use string property syntax in scripts. Its >>> >>> Set $.var = func($msg,...); >>> >>> I am not sure if there currently is a regex function, but think so. Can >>> check tomorrow when I am at a real machine. >>> >>> Sent from phone, thus brief. >>> Am 18.09.2013 20:52 schrieb "Boylan, James" <[email protected]>: >>> >>>> Ahh. I have to convert completely over to the new config structure to >>>> use variables? >>>> >>>> That explains the issue. >>>> >>>> -- James >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto: >>>> [email protected]] On Behalf Of Rainer Gerhards >>>> Sent: Wednesday, September 18, 2013 1:49 PM >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] Local Variables Usage Question >>>> >>>> You are mixing string template with script syntax! >>>> >>>> Sent from phone, thus brief. >>>> Am 18.09.2013 19:44 schrieb "Boylan, James" <[email protected]>: >>>> >>>>> I'm attempting to use local variables as a means to reduce the >>>>> overall impact of the regex per message. However I seem to be >>>>> running into a hurdle that I can find any documentation on. >>>>> >>>>> Specifically I'm attempting to use: >>>>> set $.errorlevel = >>>>> %msg:R,ERE,4,BLANK:^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)--end%; >>>>> set $.session = >>>>> %msg:R,ERE,8,BLANK:^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|([a-zA-Z0-9.-]+) >>>>> \| >>>>> ([a-zA-Z0-9._-]+)\|([a-zA-Z0-9]*)\|([a-zA-Z0-9._-]*)[~]*([a-zA-Z0-9. >>>>> _- >>>>> ]*)\|(.*)--end%; >>>>> set $.appname = >>>>> %msg:R,ERE,1,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>> set $.appversion = >>>>> %msg:R,ERE,2,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>> set $.appinstance = >>>>> %msg:R,ERE,3,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>> set $,logtype = >>>>> %msg:R,ERE,4,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>> .] >>>>> +)[-_]*([A-Za-z0-9_]*)[_-]*[a-zA-Z0-9_-]*([\^])--end%; >>>>> set $.cleanmessage = >>>>> >> %msg:R,ERE,5,FIELD:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9. >>>>> _]+)[-_]*([A-Za-z0-9_-]*)[\^](.*)--end%; >>>>> >>>>> Which results in: >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>> number >>>>> means) >>>>> >>>>> I know it must be something in how I'm trying to define these. >>>>> However I haven't been able to find a definitive document on using >>>>> them to truly clarify it. >>>>> >>>>> Does anyone have any suggestions? >>>>> >>>>> Thanks! >>>>> >>>>> --James >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>> you DON'T LIKE THAT. >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: >>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>> LIKE THAT. >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: >>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >>> THAT. >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
