[syslog-ng] substr function issues

Tue Jun 16 22:26:14 CEST 2015

$1 is the first group (eg parentheses), whereas $0 is the entire match.
This matches the convention of other regexp tools. The documentation should
be improved if its not clear enough.
On Jun 16, 2015 19:47, "westlake" <westlake2012 at videotron.ca> wrote:

> figured it out with a filter function, apparently I had to use $0
> instead of $1 which was the main problem.
>
> what is found on the regexp page is the range of using between $1 and
> $255 but not $0
> "Store the matches of the regular expression into the $1, ... $255
> variables." over on page,
>
>
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-regexp-types.html
>
> though here with
>
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html
>
> "Custom values created using rewrite rules or parsers can be modified as
> well, just like stored matches of regular expressions ($0 ... $255)."
>
> I tried to use $1 $2 or $3 where I would get "333." for $1, "333" for $2
> and "444" for $3 for an ip address of 111.222.333.444
>
> could this be a bug? I'm currently using the following while trying to
> recall the match of an ip address.
>
> rewrite r_test{
> set("$0", value("ATEST"));
> };
>
> filter f_test{
>
>
> message("(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])"
> flags(store-matches) );
> };
>
> and a simple logging with,
>
> destination d_dst{
> file("/var/log/syslog-ng/${YEAR}-${MONTH}-${DAY}.log"
> template("${R_DATE} ${ATEST}\n"));
> };
>
> log { source(s_src); filter(f_test); rewrite(r_test); destination(d_dst);
> };
>
> thanks
>
>
> On 16/06/15 04:29 AM, westlake wrote:
> > I'm stumped on a little problem with syslog-ng, basically what I'm
> > trying to do is extract text from a string and place that into a new
> macro,
> > eg
> > -> set($(substr ${MSG} 7 12), value("${MACRO");
> >
> > here the syntax checker stops short around the first dollar sign and i'm
> > not sure how else I can apply this.
> >
> > thanks
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150616/c6a19523/attachment.htm 