On Fri, Oct 15, 2010 at 10:08:16PM +0200, Balazs Scheidler wrote:
Is it possible to do PCRE replacement using backreferences? Or is there another way to get this to work?
My best bet to use the csv-parser() before doing patterndb matching. you can specify the delimiter to be ':', the first column is the hostname + port, the 2nd is the "error message". Then to split the first column, you could perhaps use PCRE to cut out the last '.' terminated portion.
Good proposal.
Backrefs are however quite slow, especially if you want to use backrefs right in the pattern (and not in the replacement).
I receive about 300 messages per second from this source over a typical almost-24-hour period of data. So I guess I can start with a backref and change to something more complicated if it doesn't work well. Unless 300 MPS is already too much?
Also note that you can have a match() filter store its matches using flags(store-matches), they'd be stored as $1, $2, etc, or if you use named groups, then $groupname will work as name-value pairs.
Helpful to know.
Bazsi
Matthew.