<p dir="ltr">Yes, patterndb is an option as well. I was concentrating on the regexp that you used.</p>
<div class="gmail_quote">On Sep 8, 2015 12:02 AM, "Jim Hendrick" <<a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<div>Would patterndb be an option?</div><div>Thinking one to match each log line type each parsing out the date and whatever else you want. </div><div><br></div><div>Jim</div><div><br></div><div><br></div><div><br></div><div><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br>-------- Original message --------<br>From: Giovanni Mancuso <<a href="mailto:giovanni.mancuso@par-tec.it" target="_blank">giovanni.mancuso@par-tec.it</a>> <br>Date: 09/07/2015 3:26 PM (GMT-05:00) <br>To: "Scheidler, Balázs" <<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>>, Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>> <br>Subject: Re: [syslog-ng] Parsing message in unstructured rows <br><br>
<div style="color:black">
<p style="margin:0 0 1em 0;color:black"></p>
<p style="margin:0 0 1em 0;color:black">Il 07 settembre 2015 21:10:59
"Scheidler, Balázs" <<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>> ha scritto:</p>
<p style="margin:0 0 1em 0;color:black">> On Sep 7, 2015 6:11 PM,
"Giovanni Mancuso" <<a href="mailto:giovanni.mancuso@par-tec.it" target="_blank">giovanni.mancuso@par-tec.it</a>><br>
> wrote:<br>
> ><br>
> > Hi,<br>
> ><br>
> > I have an application that log date in every rows. The problem is
that<br>
> the string isn't in specific part of MESSAGE, but it could be the
first<br>
> element or the last element, or in the middle :-) :-)<br>
> ><br>
> > For example (only MESSAGE):<br>
> > User: <a href="mailto:user1@example.com" target="_blank">user1@example.com</a> Date: 12/12/2014 Status: OK<br>
> > User: <a href="mailto:user2@example.com" target="_blank">user2@example.com</a> ID: 1234 Status: DEL ....... Date:
03/05/2014<br>
> > Date: 05/08/2015 User: <a href="mailto:user3@example.com" target="_blank">user3@example.com</a> ....... Stauts: OK<br>
> > .........<br>
> ><br>
> > I want split the log in more files arranged in different path
builded by<br>
> the date information, for example /LOGS/YYYY/MM/DD/mylog.log.<br>
> ><br>
> > I do:<br>
> > rewrite r_rewrite_set {<br>
> > set("$(python get_data)", value("APP.DATE"));<br>
> > };<br>
> ><br>
> > python{<br>
> > import re<br>
> > def get_data(logmsg):<br>
> > out=None<br>
> > vars(logmsg)<br>
> > out = re.findall(" Date: (\d\d/\d\d/\d\d\d\d) ",
logmsg.MESSAGE)<br>
> > if len(out) == 1:<br>
> > return out[0]<br>
> > else:<br>
> > raise
Exception("Invalid match")<br>
> > };<br>
> ><br>
> > In this way i have in APP.DATE the date.<br>
> > Now i have a some questions:<br>
> > 1) Is there another way to do this without python?<br>
><br>
> Well, this should be possible with a simple regexp filter.</p>
<p style="margin:0 0 1em 0;color:black">I try to use a filter regexp,
but i don't find the solution. Have you an example?</p>
<p style="margin:0 0 1em 0;color:black">><br>
> > 2) In this way for every message, syslog-ng forks and exec a
python<br>
> interpreter?<br>
><br>
> No, it embeds a Python interpreter.<br>
><br>
> > 3) Is there a way to add custom SDATA field from python? Or is
there a<br>
> way to create APP.DATE from python without rewrite rule?<br>
><br>
> Not right now.<br>
><br>
> > 4) Is there a documentation about python{}? I only found a post
in a blog.<br>
><br>
> It's being prepared by the tech writer team in BalaBit<br>
><br>
> ><br>
> > Thanks<br>
> ><br>
> ><br>
> ><br>
>
______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
> ><br></p>
<p style="margin:0 0 1em 0;color:black">Inviato con AquaMail per
Android<br>
<a href="http://www.aqua-mail.com" target="_blank">http://www.aqua-mail.com</a></p>
</div>
</div></blockquote></div>