[syslog-ng] PCRE in patterndb with back substitution
Evan Rempel
erempel at uvic.ca
Thu Mar 15 01:08:52 UTC 2018
I have a case where an application logs something like
{date} {host} {program}: my first line...
...my second line...
...and my third line.
I want to make a correlation and unwrap these lines into
{date} {host} {program}: my first line my second line and my third line.
I started writing the patterndb to do this, but matching the ... at the end
of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
but I then need to only use the $1 to set a value
<values>
<value name="mymessage">$1</value>
</values>
Would this be the correct syntax to do this?
Is there an easier way that would perform well?
Thanks,
More information about the syslog-ng
mailing list