[syslog-ng] PCRE in patterndb with back substitution
Scheidler, Balázs
balazs.scheidler at balabit.com
Thu Mar 15 06:10:15 UTC 2018
The $1 is not set in this case, you can however use template functions in
the value part. E.g. set line based on the @PCRE@ matcher and overwrite its
value using an expression $(substr $line 0 -3)
Would that work for you?
On Mar 15, 2018 02:08, "Evan Rempel" <erempel at uvic.ca> wrote:
> I have a case where an application logs something like
>
> {date} {host} {program}: my first line...
> ...my second line...
> ...and my third line.
>
>
> I want to make a correlation and unwrap these lines into
>
> {date} {host} {program}: my first line my second line and my third line.
>
>
> I started writing the patterndb to do this, but matching the ... at the end
>
> of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
>
> but I then need to only use the $1 to set a value
>
> <values>
> <value name="mymessage">$1</value>
> </values>
>
>
> Would this be the correct syntax to do this?
>
> Is there an easier way that would perform well?
>
> Thanks,
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180315/d4ca9a74/attachment.html>
More information about the syslog-ng
mailing list