<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Max!<div><br></div><div>The whitespace rule in the timestamp field comes from the old BSD syslog format, it is described in the RFC too:<br><a href="https://tools.ietf.org/html/rfc3164#section-4.1.2">https://tools.ietf.org/html/rfc3164#section-4.1.2</a><br></div><div><br></div><div>"<span style="color:rgb(0,0,0);font-size:13.3333px">The TIMESTAMP field is the local time and is in the format of "Mmm dd</span><span style="color:rgb(0,0,0);font-size:13.3333px"> hh:mm:ss" </span>"</div><div><div><div>" If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".</div></div></div><div><br></div><div>Regards,</div><div>Gabor</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 8, 2019 at 5:33 PM N. Max Pierson <<a href="mailto:nmaxpierson@gmail.com">nmaxpierson@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Even,<div><br></div><div>Yes I am using single quotes on this pattern. I added \s+ and that seems to resolve my issue. Looks like if it's a date in the 1-9 range it uses 2 spaces instead of one even though it doesn't seem to display it when I match on just a single \s. Strange but I think I have what I need so that this regex doesn't break when the days change from single days to double digit days.</div><div><br></div><div>Thanks!</div><div><br></div><div>Regards,</div><div>Max</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 8, 2019 at 10:24 AM Evan Rempel <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">When using regular expressions that
include the \ character (and perhaps others) they need to be in
single quotes, not double quotes.</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix"><br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">Also, the dates of the form Feb 8
10:11:54" often have a leading space on the day, so that your
regex really needs to be '^\w+\s+\d+' to match both</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">Feb 9 10:11:54</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">Feb 19 10:11:54</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix"><br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">Not sure if that was your case, but it
is a safer regex to cover such cases.</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix"><br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">I cant speak to why the space gets
eaten in your '8 09:55:54 CST: ' example.<br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix"><br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">Evan.<br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix"><br>
</div>
<div class="gmail-m_4294538265713043593gmail-m_3130068910485362596moz-cite-prefix">On 2/8/19 8:18 AM, N. Max Pierson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi List,
<div><br>
</div>
<div>I am having some weird issues with rewrite
regex that I cannot explain. I am simply
trying to filter out the first part of the
message which has the date in this format.</div>
<div><br>
</div>
<div>Feb 8 09:13:32 CST: (there is one space at
the end)<br>
</div>
<div><br>
</div>
<div> When I use the following syntax, it
doesn't match as expected.<br>
</div>
<div><br>
</div>
<div>^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s<br>
</div>
<div><br>
</div>
<div>I know this is the correct pattern because
it works just fine on <a href="http://www.regexpal.com" target="_blank">www.regexpal.com</a>.
I did some further testing and I have narrowed
it down to the below ...</div>
<div><br>
</div>
<div>^\w+</div>
<div>8 09:55:54 CST: (this seemed to also
remove the space behind the month)</div>
<div><br>
</div>
<div>^\w+\s</div>
<div>8 09:59:37 CST: (notice this is the exact
same as the above without the beginning space)<br>
</div>
<div><br>
</div>
<div>^\w+\s\d+</div>
<div>Feb 8 10:07:04 CST: (doesn't match
anything as though the space between Feb and 8
isn't there)<br>
</div>
<div><br>
</div>
<div>^\w+\d+<br>
</div>
<div>Feb 8 10:11:54 CST: (again doesn't match
anything as though there is a space between
Feb and 8)<br>
</div>
<div><br>
</div>
<div>So it seems to be something either with \w
word class or the + quantifier and it somehow
eats the space behind it possibly?? I am
running 3.19.1 on Centos 7.</div>
<div><br>
</div>
<div>Can anyone test this to confirm it isn't
just local to my install for whatever reason?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Max</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>