never mind, i forgot you needed to find it inside the message.
David Lang
On Fri, 31 Jul 2015, David Lang wrote:
Date: Fri, 31 Jul 2015 00:43:39 -0700 (PDT)
From: David Lang <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Question on "contains"
There's also the table lookup feature that can let you lookup a lot of IP
addresses and get back 'yes' or 'no' that you can then test.
David Lang
On Fri, 31 Jul 2015, Radu Gheorghe wrote:
Hi Nick,
I don't know if the array approach would work (I guess not, but you can
try). I would assume that "contains" would be faster than the regex
approach, even with more IPs, because your regex would also be complicated.
If you have a really long list of IPs, then it might be worth parsing the
IP from the message with mmnormalize, and then doing exact matches with a
list of IPs. This in turn could be a condition with multiple ORs or you
could put the list of IPs in an array and use foreach.
I hope this helps.
Best regards,
Radu
--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/
On Thu, Jul 30, 2015 at 8:36 PM, Nick Syslog <[email protected]>
wrote:
I have multiple incoming messages that I want to filter on the contents of
the message containing an IP address (not a fromhost-ip, etc.)
As a result this forces me to have to search the actual $msg itself using
either regex or contains...
with that being said, is it more efficient for me to re_match a multitude
of IP addresses OR'ing them together, or would the following actually
work?
if ($msg contains ["IP1","IP2","IP3"....]) then stop
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
