[syslog-ng] Another patterndb limitation

Evan Rempel erempel at uvic.ca
Fri Dec 2 07:33:41 CET 2011 

Having a discussion with myself :-)

I still prefer my recommended parsers commands from my previous mail included below, however, if
breaking backwards compatibility is thought to be too much of a hurdle, I could be convinced to
go with these options.

Rather than eSTRING, the parser SSTRING (stop string) could return the data excluding the stop string.
Rather than changing QSTRING, CSTRING (cite string) could return the quoted data including the quoting
characters.

The MSET and mSET would seem out of place using these parser names, so I would recommend
MATCH - return data matching any of the characters specified
EXCLUDE - return data that does not match any of the characters specified.

I thought this topic would generate a lot of discussion, but that's just me.

Evan. 
________________________________________
From: Evan Rempel [erempel at uvic.ca]
Sent: Wednesday, November 30, 2011 12:51 PM
To: Syslog-ng users' and developers' mailing list
Subject: Another patterndb limitation

I am attempting to parse information from a message that is proving difficult.
The data is of the form;


this data:should be:parsed:on colons

but the only tool I have to use is ESTRING since the text between
the : characters may contain spaces.

The problem is that ESTRING will return the text AND the : following it.

I got to thinking some more (and that is dangerous for everyone) and
realized that I can not parse

the key words are (one two three) to look at


and get a variable that matches (one two three) because QSTRING
does not include the braces.

I would like to see something like

ESTRING - return all the text up to and include the terminator character
eSTRING - return all the text up to but NOT including the terminator character

But now I have a problem. For consistency I would like to see

QSTRING - return all of the quoted text including the quote characters
qSTRING - return all of the quoted text excluding the quote characters.

These would be consistent with ESTRING and eSTRING but would be inconsistent
with the current use of QSTRING.

There was a recent patch submitted for SET, that I would change to

MSET - return all of the text (M)atching any character in the set
mSET - return all of the text not (m)atching any character in the set


So I am asking for suggestions on how to get my new

eSTRING and my changed QSTRING functionality?

comments? suggestions?

Evan

More information about the syslog-ng mailing list