Make sense! Now just waiting for the RPMs get updated, and will give this a go!
Thanks!
Robert
________________________________
From: David Lang<mailto:[email protected]>
Sent: 10/23/2013 3:33 PM
To: rsyslog-users<mailto:[email protected]>
Subject: Re: [rsyslog] Another approach to action load balancing
local variables only exist in the 7.5 branch.
in 7.4 you only have $! variables.
David Lang
On Wed, 23 Oct 2013, Robert McIntyre wrote:
> Date: Wed, 23 Oct 2013 11:48:19 -0700
> From: Robert McIntyre <[email protected]>
> Reply-To: rsyslog-users <[email protected]>
> To: rsyslog-users <[email protected]>
> Subject: Re: [rsyslog] Another approach to action load balancing
>
> So, I've had decent luck with Pavel's suggestion
> (field($timegenerated,':',3), and it rotates around nicely based on the
> second.
>
> I'm trying a slightly different approach, though, to try to get sub-second
> rotation. My firewall logs have a log sequence number that I'd like to use
> as the input to my modulus, but I'm having trouble extracting it. Using the
> rsyslog regex builder/tester, I came up with this regex:
>
> %msg:R,ERE,1,DFLT:SN=([0-9]*)--end%
>
> But, when I try to use it in my config it doesn't work. I've tried setting a
> local variable:
>
> $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
> or
> # $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
> or
> set $.msgid = "msg:R,ERE,1,DFLT:SN=([0-9]*)--end"
> or
> set # $.msgid = "%msg:R,ERE,1,DFLT:SN=([0-9]*)--end%"
>
> But get config errors regardless.
>
> I've tried putting these variations directly in the if clause:
>
> if ("msg:R,ERE,1,DFLT:SN=([0-9]*)--end" % 3 == '0')
>
> (and all the iterations), but no luck with that.
>
> So, under 7.4.4, what is the recommended way to extract a string/number from
> a message, and then use that extracted value in an expression?
>
> I've got some other lessons learned from this that I plan to write up for the
> group, but want to get this final bit sorted first.
>
> Thanks!!!
> Robert
>
>
> Date: Wed, 23 Oct 2013 08:41:20 -0700
> From: [email protected]
> To: [email protected]
> Subject: Re: [rsyslog] Another approach to action load balancing
>
> there should be per the docs, but in practice there is not. At least not as it
> is accessed via the scripting variables. I think if you use it as a property
> in
> a template you get the higher precision.
>
> David Lang
>
> On Wed, 23 Oct 2013, Robert McIntyre wrote:
>
>> Thanks, Pavel! This works as expected. The docs say that $timegenerated is
>> "always in high resolution". Is that max resolution seconds? I'm trying to
>> figure out how to just see the value of $timegenerated to see what format it
>> is (I'm assuming HH:MM:SS based on the field statement, but wonder if there's
>> a .XX at the end).
>>
>> Thanks!!!
>> Robert
>>
>>
>>> Date: Wed, 23 Oct 2013 18:00:04 +0400
>>> From: [email protected]
>>> To: [email protected]
>>> Subject: Re: [rsyslog] Another approach to action load balancing
>>>
>>>
>>>
>>> Here is what you looked for:
>>>
>>> field($timegenerated,':',3);
>>>
>>> It is a number, so you can balance per second based on it. And it works
>>> with 7.4.4.
>>>
>>>
>>> --
>>> Pavel Levshin
>>>
>>>
>>> 23.10.2013 17:12, Robert McIntyre:
>>>> Thanks, that's too bad. I was quite excited yesterday, thinking about the
>>>> problem and reading the docs, but couldn't figure it out after spending
>>>> some time with my test server.
>>>>
>>>> I recall the other thread recently about the documentation, and how to
>>>> make it clear what's applicable to which version, as well as what's
>>>> possible across features (Rainer script crossed with property replacer in
>>>> this case). This is an example of that issue.
>>>>
>>>> I don't have much to contribute to this project other than questions, the
>>>> occasional answer for someone else, and thanks, so I'll reiterate: thanks
>>>> to everyone working on this project! :)
>>>>
>>>> Thanks!
>>>> Robert
>>>> ________________________________
>>>> From: Rainer Gerhards<mailto:[email protected]>
>>>> Sent: 10/23/2013 4:01 AM
>>>> To: rsyslog-users<mailto:[email protected]>
>>>> Subject: Re: [rsyslog] Another approach to action load balancing
>>>>
>>>> On Wed, Oct 23, 2013 at 12:41 PM, Pavel Levshin
>>>> <[email protected]>wrote:
>>>>
>>>>> So, not all system properties are accessible from RainerScript, in 7.4.
>>>>> There is none having resolution of seconds. Here they are:
>>>>>
>>>>> $now (this is just a date, unfortunately)
>>>>> $year
>>>>> $month
>>>>> $day
>>>>> $hour
>>>>> $minute
>>>>> $myhostname
>>>>>
>>>>> And that's all. In 7.5, all is complicated right now.
>>>>>
>>>>> I am working on that ;) I could promise to add some $$nowseconds sysvar,
>>>> but looking at the current schedule I better do not do that...
>>>>
>>>> Rainer
>>>>
>>>>> --
>>>>> Pavel
>>>>>
>>>>>
>>>>> 23.10.2013 10:33, Pavel Levshin:
>>>>>
>>>>>
>>>>>
>>>>>> It seemes that you are unable to access $uptime property (as $$uptime, I
>>>>>> suppose). The same is true for 7.4 and 7.5.5.
>>>>>>
>>>>>> It works for me, because there is a regression after latest fixes for
>>>>>> global variables. In HEAD, I can access $uptime (as $uptime), but do not
>>>>>> see any property without $ at start.
>>>>>>
>>>>>> As for more precise counter, it is timegenerated. But it is also unusable
>>>>>> because you cannot access subseconds from RainerScript. AFAIK.
>>>>>>
>>>>>>
>>>>> ______________________________**_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
