Thanks, this seems to work, though I had to change the unset to: unset(value("copy_of_host")) I can't find anything in the docs for unset without using value(). Is this correct or does it change what is being done? Thanks, -Mark -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Monday, August 5, 2019 03:12 To: syslog-ng@lists.balabit.hu Subject: [EXTERNAL] Re: [syslog-ng] Regular expressions in rewrite On Fri, Aug 02, 2019 at 01:40:13PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
Is there a way to use regular expressions when setting a value in a rewrite rule? [...] But without changing the actual log message. The goal is to create a variable from a regular expression of the host field in the message that I can then use in a destination path.
You could copy the content of HOST into another macro, then use subst on the copy: rewrite r_rewrite_set_host{ set("$HOST", value("copy_of_host")); subst("^[a-z]+\-([a-z]+).*$", "$1", value("copy_of_host")); set("$copy_of_host" value("location") condition( filter(f_filter_hostnames) ) ); unset('copy_of_host'); } Note that you could also use named matches in subst: subst("^[a-z]+\-(?<location>[a-z]+).*$", "$1", value("copy_of_host")); ______________________________________________________________________________ Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailma... Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_... FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_sys...