You have defined your regular expresion as "posix" which does not have the \d \s etc.
If you change the type to "pcre" then it should work for you.


On 1/15/19 2:01 PM, N. Max Pierson wrote:
Hi List,

I am using version 3.5 and it seems as though regex (posix or pcre) doesn't work completely. Take the example string below (which is the message part of the syslog). 

Jan 15 15:50:57 CST: %DAEMON-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP control mode packet. Drop count:147972  - ntpd[15029]

I am trying to match the date at the beginning of the message and remove it. When I use \w, \s, \d, etc, they do not match anything. If I match on a character classes it works fine (ex [a-z]+ or [0-9]+).

Here is my statement for the rewrite rule.

rewrite r_nexus{ subst("^[a-z]+ [0-9]+ [0-9]+:[0-9]+:[0-9]+ [a-z]+: ", "", value("MESSAGE"), type("posix"), flags("ignore-case"), condition(filter(f_nexus))); };

The above seems to get me what I want but are the character matches not supposed to work in syslog-ng version 3.5??

Regards,
Max