I agree. Since ANYSTRING does not work in the middle of a pattern, authors are left without an option for variable-length matches when you can't use (E|Q)STRING, such as an unknown number of repeating spaces. I think SET would be fairly efficient since it would behave a lot like a slightly modified version of ESTRING. On Sat, Nov 26, 2011 at 11:10 PM, Evan Rempel <erempel@uvic.ca> wrote:
I have come across some odd lines that really can't be matched/parsed by the patterndb
2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module Size Used by 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26 1945576 0 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux 326280 1 mmfs26 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev 67148 2 mmf
I would like to match these and parse out the number. The catch is that the number is right justified which means that there is a variable number of spaces before the number.
I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.
Failing that I would propose that a @SET@ parser.
@SET:name:character set@
This will match a sequence of characters that contain any of, and only those characters listed by "character set"
This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be handled.
Comments?
Evan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq