I think you need this:
re_extract(expr, re, match, submatch, no-found)
--
Pavel Levshin
23.10.2013 22:50, Robert McIntyre:
Sorry, slight cut/paste issue on my local variable setting:
$.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
or
$.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
Cheers!
Robert
From: [email protected]
To: [email protected]
Date: Wed, 23 Oct 2013 11:48:19 -0700
Subject: Re: [rsyslog] Another approach to action load balancing
So, I've had decent luck with Pavel's suggestion (field($timegenerated,':',3),
and it rotates around nicely based on the second.
I'm trying a slightly different approach, though, to try to get sub-second rotation. My firewall logs have a log sequence number that I'd like to use as the input to my modulus, but I'm having trouble extracting it. Using the rsyslog regex builder/tester, I came up with this regex:
%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%
But, when I try to use it in my config it doesn't work. I've tried setting a local variable:
$.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
or
# $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
or
set # $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
But get config errors regardless.
I've tried putting these variations directly in the if clause:
if ("msg:R,ERE,1,DFLT:SN=([0-9]*)--end" % 3 == '0')
(and all the iterations), but no luck with that.
So, under 7.4.4, what is the recommended way to extract a string/number from a message, and then use that extracted value in an expression?
I've got some other lessons learned from this that I plan to write up for the group, but want to get this final bit sorted first.
Thanks!!!
Robert
Date: Wed, 23 Oct 2013 08:41:20 -0700
From: [email protected]
To: [email protected]
Subject: Re: [rsyslog] Another approach to action load balancing
there should be per the docs, but in practice there is not. At least not as it
is accessed via the scripting variables. I think if you use it as a property in
a template you get the higher precision.
David Lang
On Wed, 23 Oct 2013, Robert McIntyre wrote:
Thanks, Pavel! This works as expected. The docs say that $timegenerated is
"always in high resolution". Is that max resolution seconds? I'm trying to
figure out how to just see the value of $timegenerated to see what format it
is (I'm assuming HH:MM:SS based on the field statement, but wonder if there's
a .XX at the end).
Thanks!!!
Robert
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
