I am using this regular expression with Kiwi Syslog to distribute messages to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another).

     "10\.\d+\.\d*[0-4]\."

This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d"

match("10\.\\d+\.\\d*[0-4]\.")

Nope, I get nothing. I've shortened it to just

match("10\.\\d+")

and still get no matching messages.

This sort of works, but gives some unexpected results:

match("10\.[0-9]+\.[0-9]*[0-4]\.")

The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4'

Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033



So, I have two questions.....

What's wrong with this:

match("10\.\\d+\.\\d*[0-4]\.")

And why did this
match("10\.[0-9]+\.[0-9]*[0-4]\.")
match this
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033

Thanks!

Phil

Notice: This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. 
or one of its subsidiaries and may contain confidential or legally privileged information intended
solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or
distribution of this message or its attachments is strictly prohibited. If you received this message in
error, please notify the sender and delete this message entirely from your system.