When using regular expressions that include the \ character (and perhaps others) they need to be in single quotes, not double quotes.

Also, the dates of the form  Feb 8 10:11:54" often have a leading space on the day, so that your regex really needs to be '^\w+\s+\d+' to match both

Feb  9 10:11:54

Feb 19 10:11:54

Not sure if that was your case, but it is a safer regex to cover such cases.

I cant speak to why the space gets eaten in your '8 09:55:54 CST: ' example.

Evan.

On 2/8/19 8:18 AM, N. Max Pierson wrote:

Hi List,

I am having some weird issues with rewrite regex that I cannot explain. I am simply trying to filter out the first part of the message which has the date in this format.

Feb 8 09:13:32 CST:  (there is one space at the end)

 When I use the following syntax, it doesn't match as expected.

^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s

I know this is the correct pattern because it works just fine on www.regexpal.com. I did some further testing and I have narrowed it down to the below ...

^\w+

8 09:55:54 CST:  (this seemed to also remove the space behind the month)

^\w+\s

8 09:59:37 CST:  (notice this is the exact same as the above without the beginning space)

^\w+\s\d+

Feb 8 10:07:04 CST:  (doesn't match anything as though the space between Feb and 8 isn't there)

^\w+\d+

Feb 8 10:11:54 CST:  (again doesn't match anything as though there is a space between Feb and 8)

So it seems to be something either with \w word class or the + quantifier and it somehow eats the space behind it possibly?? I am running 3.19.1 on Centos 7.

Can anyone test this to confirm it isn't just local to my install for whatever reason?

Regards,

Max

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq