[syslog-ng] Another patterndb limitation
Fekete Robert
frobert at balabit.hu
Fri Dec 2 10:01:22 CET 2011
Hi Evan,
I like the idea of optionally including/excluding the stop characters, as both
are valid usecases that can come handy. I do not know about the technical
details, that is, how it is best to implement it. From usability point of view,
I'd prefer using a flag/option in the parser, as it would make recognizing the
option easier. I think that changing the capitalization of the parser is not too
intuitive and can lead to errors and user frustration (but then again, this
might be the least frustration in getting patterndb to work :) ).
Robert
On 12/02/2011 07:33 AM, Evan Rempel wrote:
> Having a discussion with myself :-)
>
> I still prefer my recommended parsers commands from my previous mail included below, however, if
> breaking backwards compatibility is thought to be too much of a hurdle, I could be convinced to
> go with these options.
>
> Rather than eSTRING, the parser SSTRING (stop string) could return the data excluding the stop string.
> Rather than changing QSTRING, CSTRING (cite string) could return the quoted data including the quoting
> characters.
>
> The MSET and mSET would seem out of place using these parser names, so I would recommend
> MATCH - return data matching any of the characters specified
> EXCLUDE - return data that does not match any of the characters specified.
>
> I thought this topic would generate a lot of discussion, but that's just me.
>
> Evan.
> ________________________________________
> From: Evan Rempel [erempel at uvic.ca]
> Sent: Wednesday, November 30, 2011 12:51 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Another patterndb limitation
>
> I am attempting to parse information from a message that is proving difficult.
> The data is of the form;
>
>
> this data:should be:parsed:on colons
>
> but the only tool I have to use is ESTRING since the text between
> the : characters may contain spaces.
>
> The problem is that ESTRING will return the text AND the : following it.
>
> I got to thinking some more (and that is dangerous for everyone) and
> realized that I can not parse
>
> the key words are (one two three) to look at
>
>
> and get a variable that matches (one two three) because QSTRING
> does not include the braces.
>
> I would like to see something like
>
> ESTRING - return all the text up to and include the terminator character
> eSTRING - return all the text up to but NOT including the terminator character
>
> But now I have a problem. For consistency I would like to see
>
> QSTRING - return all of the quoted text including the quote characters
> qSTRING - return all of the quoted text excluding the quote characters.
>
> These would be consistent with ESTRING and eSTRING but would be inconsistent
> with the current use of QSTRING.
>
> There was a recent patch submitted for SET, that I would change to
>
> MSET - return all of the text (M)atching any character in the set
> mSET - return all of the text not (m)atching any character in the set
>
>
> So I am asking for suggestions on how to get my new
>
> eSTRING and my changed QSTRING functionality?
>
> comments? suggestions?
>
> Evan
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list