<div dir="auto">Globs can't extract matches into name-value pairs.<div dir="auto"><br></div><div dir="auto">Btw, pcre can also extract into named matches, so you can directly extract into $HOST.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 25, 2020, 15:25 Syslogng <<a href="mailto:syslogng@master666.com">syslogng@master666.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u><div><div style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10pt"><div>Hi,<br></div><div><br></div><div>Thanks for you information, i manage to do this with:<br></div><div><br></div><div>filter f_host { <br></div><div>  match(<br></div><div>    'original_source=[^\.]*'<br></div><div>    flags(store-matches)<br></div><div>    value('MSGONLY')<br></div><div>    type("pcre")</div><div>  );<br></div><div>};<br></div><div><br></div><div>destination d_host {<br></div><div>      file("/data/$1/messages.log")<br></div><div>};<br></div><div><div><br></div><div><br></div><div>If it can help someone else.<br></div><div><br></div><div>Maybe a last question could be if it is not better to use glob in this case to reduce cpu usage ?<br></div><div>But i didn't manage to do it with different try like :<br></div></div><div>filter f_host { <br></div><div>  match(<br></div><div>    "original_source=*.<a href="http://example.com" target="_blank" rel="noreferrer">example.com</a>"<br></div><div>    flags(store-matches)<br></div><div>    value('MSGONLY')<br></div><div>    type("glob")<br></div><div>  );<br></div><div>};<br></div><div><div><br></div><div><br></div><div id="m_-5608982112046033198Zm-_Id_-Sgn1">---- On Tue, 24 Mar 2020 07:18:37 +0100 <b>Balazs Scheidler <<a href="mailto:bazsi77@gmail.com" target="_blank" rel="noreferrer">bazsi77@gmail.com</a>></b> wrote ----<br></div><div><br></div><blockquote style="border-left:1px solid rgb(204,204,204);padding-left:6px;margin:0px 0px 0px 5px"><div><div dir="ltr"><div>Hi,<br></div><div><br></div><div>You can extract values from $MSG by using regexps (by using a regexp based filter with the flags(store-matches) option), or by using csv-parser() with a  custom separator (this should be faster) or even db-parser. In any case, once you extracted the server name just make sure to store it in $HOST and then you can use $HOST in your destination filename.<br></div><div><br></div></div><div><br></div><div><div dir="ltr">On Mon, Mar 23, 2020 at 7:16 PM Syslogng <<a href="mailto:syslogng@master666.com" target="_blank" rel="noreferrer">syslogng@master666.com</a>> wrote:<br></div><div><br></div></div><div><br></div><div><br></div><div>-- <br></div><div dir="ltr">Bazsi<br></div><div>______________________________________________________________________________<br></div><div>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br></div><div>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br></div><div>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br></div><div><br></div></div><blockquote style="margin:0.0px 0.0px 0.0px 0.8ex;border-left:1.0px solid rgb(204,204,204);padding-left:1.0ex"><div><u></u><br></div><div><div style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10.0pt"><div><blockquote style="border-left:1.0px solid rgb(204,204,204);padding-left:6.0px;margin:0.0px 0.0px 0.0px 5.0px"><div><div style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10.0pt"><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">Hi,<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">We receive aggregated syslog from a server (all logs are send from 1 IP). Also all the events are mixed.<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">The name of the host sending the initial traffic is in each event.<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">ex:<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><span style="border-bottom:1.0px dashed rgb(85,85,85);line-height:1">2020/03/23</span><span> </span>[notice] [user] New original_source=<a href="http://SERV1.example.com" target="_blank" rel="noreferrer">SERV1.example.com</a> Task=0 ....<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">How to recover SER1 which is always preceded by "original_source=" and followed by "<a href="http://example.com" target="_blank" rel="noreferrer">example.com</a>" to save it in a file for example /data/serv1.log<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">I don't want a static filter (I know how to do it) but a dynamic one. If a new event arrives at original_source=<a href="http://SERV2.example.com" target="_blank" rel="noreferrer">SERV2.example.com</a><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">I would like it to automatically create a /data/serv2.log<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">Could you help me please ?<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">thank you in advance<br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13.3333px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0.0px;text-transform:none;white-space:normal;word-spacing:0.0px;background-color:rgb(255,255,255)">Pit<br></div></div><div><br></div></div></blockquote></div><div><br></div></div><div><br></div></div><div>______________________________________________________________________________<br></div><div> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br></div><div> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br></div><div> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br></div><div> <br></div></blockquote></blockquote></div><div><br></div></div><br></div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>