The details on re_extract are here: http://www.rsyslog.com/doc/rainerscript.html
Search for re_extract on that page. -- James -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Boylan, James Sent: Wednesday, October 23, 2013 2:08 PM To: rsyslog-users Subject: Re: [rsyslog] Another approach to action load balancing Yes. You are mixing legacy language with script language. You need to use re_extract in the set command. If you are running 7.4.4 there is a patch for re_extract that I recently work with Rainer that fixes a segmentation fault issue in the function. I've attached the patch to this email. Try using it without the patch first. But if you run into a segmentation fault, use the patch. -- James -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Pavel Levshin Sent: Wednesday, October 23, 2013 2:02 PM To: [email protected] Subject: Re: [rsyslog] Another approach to action load balancing I think you need this: re_extract(expr, re, match, submatch, no-found) -- Pavel Levshin 23.10.2013 22:50, Robert McIntyre: > Sorry, slight cut/paste issue on my local variable setting: > > $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%" > or > $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end" > or > set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end" > or > set $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%" > > Cheers! > Robert > >> From: [email protected] >> To: [email protected] >> Date: Wed, 23 Oct 2013 11:48:19 -0700 >> Subject: Re: [rsyslog] Another approach to action load balancing >> >> So, I've had decent luck with Pavel's suggestion >> (field($timegenerated,':',3), and it rotates around nicely based on the >> second. >> >> I'm trying a slightly different approach, though, to try to get sub-second >> rotation. My firewall logs have a log sequence number that I'd like to use >> as the input to my modulus, but I'm having trouble extracting it. Using the >> rsyslog regex builder/tester, I came up with this regex: >> >> %msg:R,ERE,1,DFLT:SN=([0-9]*)--end% >> >> But, when I try to use it in my config it doesn't work. I've tried setting >> a local variable: >> >> $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%" >> or >> # $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end" >> or >> set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end" >> or >> set # $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%" >> >> But get config errors regardless. >> >> I've tried putting these variations directly in the if clause: >> >> if ("msg:R,ERE,1,DFLT:SN=([0-9]*)--end" % 3 == '0') >> >> (and all the iterations), but no luck with that. >> >> So, under 7.4.4, what is the recommended way to extract a string/number from >> a message, and then use that extracted value in an expression? >> >> I've got some other lessons learned from this that I plan to write up for >> the group, but want to get this final bit sorted first. >> >> Thanks!!! >> Robert >> >> >> Date: Wed, 23 Oct 2013 08:41:20 -0700 >> From: [email protected] >> To: [email protected] >> Subject: Re: [rsyslog] Another approach to action load balancing >> >> there should be per the docs, but in practice there is not. At least >> not as it is accessed via the scripting variables. I think if you use >> it as a property in a template you get the higher precision. >> >> David Lang >> >> On Wed, 23 Oct 2013, Robert McIntyre wrote: >> >>> Thanks, Pavel! This works as expected. The docs say that >>> $timegenerated is "always in high resolution". Is that max >>> resolution seconds? I'm trying to figure out how to just see the >>> value of $timegenerated to see what format it is (I'm assuming >>> HH:MM:SS based on the field statement, but wonder if there's a .XX at the >>> end). >>> >>> Thanks!!! >>> Robert >>> _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

