sorry, some wrong info. What I wrote is interpreted as such
if (not $msg) contains "msgnum:" then {
and so it does not work. You need to set parenthesis to negate the
contains clause:
if not ($msg contains "msgnum:") then {
Rainer
El jue., 31 oct. 2019 a las 18:55, Rainer Gerhards
(<[email protected]>) escribió:
>
> You should review rsyslog error logs. I guess you have something
> similar to this in them:
>
> rsyslogd: error during parsing file rstb_314075_f7994d4f_.conf, on or
> before line 17: invalid character '!' in expression - is there an
> invalid escape sequence somewhere? [v8.1911.0.master try
> https://www.rsyslog.com/e/2207 ]
>
> Bottom line: !contains is not a proper script operator. The correct if
> statement is
>
> if not $msg contains "msgnum:" then {
>
> I guess the rest is due to the config error.
>
> HTH
> Rainer
>
> El mié., 30 oct. 2019 a las 20:06, Christian, Mark via rsyslog
> (<[email protected]>) escribió:
> >
> > I have a ruleset that attempts to output to omfile, omkafka and
> > omelasticsearch. All of the events are received on imtcp. I'm
> > attempting to discard some of the events for omfile. I was trying to
> > do something like the following:
> >
> > ruleset(name="process_events" {
> >
> > if $msg !contains "unwanted space delimited string" then {
> > action(type="omfile"
> > <snip>
> > )
> > }
> > action(type="omkafka"
> > <snip>
> > )
> > action(type="omelasticsearch"
> > <snip>
> > )
> > }
> >
> > It seems !contains is being misinterrupted, and that the only events
> > omfile processes are events containing "unwanted space delimited
> > string". I assume contains can work on strings with spaces. I'm
> > wondering what I have wrong with the above.
> >
> > This is on rsyslog-8.1910.0-0adiscon1xenial1
> >
> > Mark Christian
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
