Hi Evan, I like the idea of optionally including/excluding the stop characters, as both are valid usecases that can come handy. I do not know about the technical details, that is, how it is best to implement it. From usability point of view, I'd prefer using a flag/option in the parser, as it would make recognizing the option easier. I think that changing the capitalization of the parser is not too intuitive and can lead to errors and user frustration (but then again, this might be the least frustration in getting patterndb to work :) ). Robert On 12/02/2011 07:33 AM, Evan Rempel wrote:
Having a discussion with myself :-)
I still prefer my recommended parsers commands from my previous mail included below, however, if breaking backwards compatibility is thought to be too much of a hurdle, I could be convinced to go with these options.
Rather than eSTRING, the parser SSTRING (stop string) could return the data excluding the stop string. Rather than changing QSTRING, CSTRING (cite string) could return the quoted data including the quoting characters.
The MSET and mSET would seem out of place using these parser names, so I would recommend MATCH - return data matching any of the characters specified EXCLUDE - return data that does not match any of the characters specified.
I thought this topic would generate a lot of discussion, but that's just me.
Evan. ________________________________________ From: Evan Rempel [erempel@uvic.ca] Sent: Wednesday, November 30, 2011 12:51 PM To: Syslog-ng users' and developers' mailing list Subject: Another patterndb limitation
I am attempting to parse information from a message that is proving difficult. The data is of the form;
this data:should be:parsed:on colons
but the only tool I have to use is ESTRING since the text between the : characters may contain spaces.
The problem is that ESTRING will return the text AND the : following it.
I got to thinking some more (and that is dangerous for everyone) and realized that I can not parse
the key words are (one two three) to look at
and get a variable that matches (one two three) because QSTRING does not include the braces.
I would like to see something like
ESTRING - return all the text up to and include the terminator character eSTRING - return all the text up to but NOT including the terminator character
But now I have a problem. For consistency I would like to see
QSTRING - return all of the quoted text including the quote characters qSTRING - return all of the quoted text excluding the quote characters.
These would be consistent with ESTRING and eSTRING but would be inconsistent with the current use of QSTRING.
There was a recent patch submitted for SET, that I would change to
MSET - return all of the text (M)atching any character in the set mSET - return all of the text not (m)atching any character in the set
So I am asking for suggestions on how to get my new
eSTRING and my changed QSTRING functionality?
comments? suggestions?
Evan
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq