<p dir="ltr">$1 is the first group (eg parentheses), whereas $0 is the entire match. This matches the convention of other regexp tools. The documentation should be improved if its not clear enough.</p>
<div class="gmail_quote">On Jun 16, 2015 19:47, "westlake" <<a href="mailto:westlake2012@videotron.ca">westlake2012@videotron.ca</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">figured it out with a filter function, apparently I had to use $0<br>
instead of $1 which was the main problem.<br>
<br>
what is found on the regexp page is the range of using between $1 and<br>
$255 but not $0<br>
"Store the matches of the regular expression into the $1, ... $255<br>
variables." over on page,<br>
<br>
<a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-regexp-types.html" rel="noreferrer" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-regexp-types.html</a><br>
<br>
though here with<br>
<a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html" rel="noreferrer" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html</a><br>
<br>
"Custom values created using rewrite rules or parsers can be modified as<br>
well, just like stored matches of regular expressions ($0 ... $255)."<br>
<br>
I tried to use $1 $2 or $3 where I would get "333." for $1, "333" for $2<br>
and "444" for $3 for an ip address of 111.222.333.444<br>
<br>
could this be a bug? I'm currently using the following while trying to<br>
recall the match of an ip address.<br>
<br>
rewrite r_test{<br>
set("$0", value("ATEST"));<br>
};<br>
<br>
filter f_test{<br>
<br>
message("(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])"<br>
flags(store-matches) );<br>
};<br>
<br>
and a simple logging with,<br>
<br>
destination d_dst{<br>
file("/var/log/syslog-ng/${YEAR}-${MONTH}-${DAY}.log"<br>
template("${R_DATE} ${ATEST}\n"));<br>
};<br>
<br>
log { source(s_src); filter(f_test); rewrite(r_test); destination(d_dst); };<br>
<br>
thanks<br>
<br>
<br>
On 16/06/15 04:29 AM, westlake wrote:<br>
> I'm stumped on a little problem with syslog-ng, basically what I'm<br>
> trying to do is extract text from a string and place that into a new macro,<br>
> eg<br>
> -> set($(substr ${MSG} 7 12), value("${MACRO");<br>
><br>
> here the syntax checker stops short around the first dollar sign and i'm<br>
> not sure how else I can apply this.<br>
><br>
> thanks<br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>