On Thu, 2010-08-12 at 08:21 -0600, syslogng@feystorm.net wrote:
Ya, csv is probably the better way to do that, but to answer your original question, it didnt work because you didnt tell it the replacement was a pcre regex (it defaults to posix standard regex) and posix regex doesnt understand most of the character classes pcre does (\S \s \d etc). Change it by specifying 'type(pcre)'. You might also need to set the store-matches flag but I'm not sure on this. I know its required to access the captures from outside the match, but I havent tested to see if its required within a rewrite.
The administrators guide has all this in it and is a tremendously helpful resource. Can be found on the balabit web site under documentation.
Yes, the "store-matches" flag is needed in case a rewrite rule too. So it should look like: rewrite test_columns{subst("(\S+)\s+(\S+)\s+(\S+)\s+(\S+)", "system=$1 action=$2 flags=$3 result=$4", value("MESSAGE") type(pcre) flags(store-matches));}; But csv-parser should _much_ faster than using regexps, but I'd appreciate if you could actually post numbers if this is true. -- Bazsi