So, I've had decent luck with Pavel's suggestion (field($timegenerated,':',3),
and it rotates around nicely based on the second.
I'm trying a slightly different approach, though, to try to get sub-second
rotation. My firewall logs have a log sequence number that I'd like to use as
the input to my modulus, but I'm having trouble extracting it. Using the
rsyslog regex builder/tester, I came up with this regex:
%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%
But, when I try to use it in my config it doesn't work. I've tried setting a
local variable:
$.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
or
# $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set # $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
But get config errors regardless.
I've tried putting these variations directly in the if clause:
if ("msg:R,ERE,1,DFLT:SN=([0-9]*)--end" % 3 == '0')
(and all the iterations), but no luck with that.
So, under 7.4.4, what is the recommended way to extract a string/number from a
message, and then use that extracted value in an expression?
I've got some other lessons learned from this that I plan to write up for the
group, but want to get this final bit sorted first.
Thanks!!!
Robert
Date: Wed, 23 Oct 2013 08:41:20 -0700
From: [email protected]
To: [email protected]
Subject: Re: [rsyslog] Another approach to action load balancing
there should be per the docs, but in practice there is not. At least not as it
is accessed via the scripting variables. I think if you use it as a property in
a template you get the higher precision.
David Lang
On Wed, 23 Oct 2013, Robert McIntyre wrote:
> Thanks, Pavel! This works as expected. The docs say that $timegenerated is
> "always in high resolution". Is that max resolution seconds? I'm trying to
> figure out how to just see the value of $timegenerated to see what format it
> is (I'm assuming HH:MM:SS based on the field statement, but wonder if there's
> a .XX at the end).
>
> Thanks!!!
> Robert
>
>
>> Date: Wed, 23 Oct 2013 18:00:04 +0400
>> From: [email protected]
>> To: [email protected]
>> Subject: Re: [rsyslog] Another approach to action load balancing
>>
>>
>>
>> Here is what you looked for:
>>
>> field($timegenerated,':',3);
>>
>> It is a number, so you can balance per second based on it. And it works
>> with 7.4.4.
>>
>>
>> --
>> Pavel Levshin
>>
>>
>> 23.10.2013 17:12, Robert McIntyre:
>>> Thanks, that's too bad. I was quite excited yesterday, thinking about the
>>> problem and reading the docs, but couldn't figure it out after spending
>>> some time with my test server.
>>>
>>> I recall the other thread recently about the documentation, and how to make
>>> it clear what's applicable to which version, as well as what's possible
>>> across features (Rainer script crossed with property replacer in this
>>> case). This is an example of that issue.
>>>
>>> I don't have much to contribute to this project other than questions, the
>>> occasional answer for someone else, and thanks, so I'll reiterate: thanks
>>> to everyone working on this project! :)
>>>
>>> Thanks!
>>> Robert
>>> ________________________________
>>> From: Rainer Gerhards<mailto:[email protected]>
>>> Sent: 10/23/2013 4:01 AM
>>> To: rsyslog-users<mailto:[email protected]>
>>> Subject: Re: [rsyslog] Another approach to action load balancing
>>>
>>> On Wed, Oct 23, 2013 at 12:41 PM, Pavel Levshin <[email protected]>wrote:
>>>
>>>> So, not all system properties are accessible from RainerScript, in 7.4.
>>>> There is none having resolution of seconds. Here they are:
>>>>
>>>> $now (this is just a date, unfortunately)
>>>> $year
>>>> $month
>>>> $day
>>>> $hour
>>>> $minute
>>>> $myhostname
>>>>
>>>> And that's all. In 7.5, all is complicated right now.
>>>>
>>>> I am working on that ;) I could promise to add some $$nowseconds sysvar,
>>> but looking at the current schedule I better do not do that...
>>>
>>> Rainer
>>>
>>>> --
>>>> Pavel
>>>>
>>>>
>>>> 23.10.2013 10:33, Pavel Levshin:
>>>>
>>>>
>>>>
>>>>> It seemes that you are unable to access $uptime property (as $$uptime, I
>>>>> suppose). The same is true for 7.4 and 7.5.5.
>>>>>
>>>>> It works for me, because there is a regression after latest fixes for
>>>>> global variables. In HEAD, I can access $uptime (as $uptime), but do not
>>>>> see any property without $ at start.
>>>>>
>>>>> As for more precise counter, it is timegenerated. But it is also unusable
>>>>> because you cannot access subseconds from RainerScript. AFAIK.
>>>>>
>>>>>
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
