<div dir="ltr">I see that the complexity of that regex expression would increase hugely if you want to solve.<div><br></div><div>I'm still thinking about other possibilities before focusing on a patterndb solution.</div><div>What kind of source do you use for that application? Where is it logging to?</div><div><br></div><div>Gabor</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 20, 2018 at 2:19 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_5055162390551485917moz-cite-prefix">No problem about my name. My fast
fingers make tonnes of errors.<br>
<br>
The application does not log into a file, so that isn't a really
good option.<br>
I have the patterndb working for this, however, I came across
another line that is<br>
<br>
... 20 more<br>
<br>
and has a continuation line preceding it that does NOT end in ...
so I have filter<br>
that one out.<br>
<br>
Does anyone handle java stack dumps gracefully :-)<br>
<br>
Evan<div><div class="h5"><br>
<br>
On 03/20/2018 06:07 AM, Nagy, Gábor wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">Sorry Evan for mistyping your name. :)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Mar 20, 2018 at 2:06 PM, Nagy,
Gábor <span dir="ltr"><<a href="mailto:gabor.nagy@balabit.com" target="_blank">gabor.nagy@balabit.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Elen!<br>
<br>
Does your application log into a file? Because then you
could use multi-line file source with a well-defined
prefix as the "<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">{date}
{host} {program}:</span>".
<div><br>
</div>
<div>Regards,</div>
<div>Gabor</div>
</div>
<div class="m_5055162390551485917HOEnZb">
<div class="m_5055162390551485917h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 15, 2018 at 7:10
AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">The <span class="m_5055162390551485917m_-4500865000135016209m_5465107750960201948m_8211379849010350452money">$1</span> is
not set in this case, you can however use
template functions in the value part. E.g. set
line based on the @PCRE@ matcher and overwrite
its value using an expression $(substr $line 0
-3)
<div dir="auto"><br>
</div>
<div dir="auto">Would that work for you?</div>
<div dir="auto"><br>
</div>
</div>
<div class="m_5055162390551485917m_-4500865000135016209HOEnZb">
<div class="m_5055162390551485917m_-4500865000135016209h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mar 15, 2018
02:08, "Evan Rempel" <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have a
case where an application logs something
like<br>
<br>
{date} {host} {program}: my first
line...<br>
...my second line...<br>
...and my third line.<br>
<br>
<br>
I want to make a correlation and unwrap
these lines into<br>
<br>
{date} {host} {program}: my first line
my second line and my third line.<br>
<br>
<br>
I started writing the patterndb to do
this, but matching the ... at the end<br>
<br>
of the line is difficult, so I used
@PCRE:line:(.*)\.\.\.$@<br>
<br>
but I then need to only use the $1 to
set a value<br>
<br>
<values><br>
<value
name="mymessage">$1</value><br>
</values><br>
<br>
<br>
Would this be the correct syntax to do
this?<br>
<br>
Is there an easier way that would
perform well?<br>
<br>
Thanks,<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_5055162390551485917mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>N �n�r����)em�h�yhiם�w^��</pre>
</blockquote>
<p><br>
</p>
</div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>