[syslog-ng] Regex Irregularities

N. Max Pierson nmaxpierson at gmail.com
Fri Feb 8 16:33:04 UTC 2019 

Hi Even,

Yes I am using single quotes on this pattern. I added \s+ and that seems to
resolve my issue. Looks like if it's a date in the 1-9 range it uses 2
spaces instead of one even though it doesn't seem to display it when I
match on just a single \s. Strange but I think I have what I need so that
this regex doesn't break when the days change from single days to double
digit days.

Thanks!

Regards,
Max

On Fri, Feb 8, 2019 at 10:24 AM Evan Rempel <erempel at uvic.ca> wrote:

> When using regular expressions that include the \ character (and perhaps
> others) they need to be in single quotes, not double quotes.
>
> Also, the dates of the form  Feb 8 10:11:54" often have a leading space on
> the day, so that your regex really needs to be '^\w+\s+\d+' to match both
> Feb  9 10:11:54
> Feb 19 10:11:54
>
> Not sure if that was your case, but it is a safer regex to cover such
> cases.
>
> I cant speak to why the space gets eaten in your '8 09:55:54 CST: '
> example.
>
> Evan.
>
> On 2/8/19 8:18 AM, N. Max Pierson wrote:
>
> Hi List,
>
> I am having some weird issues with rewrite regex that I cannot explain. I
> am simply trying to filter out the first part of the message which has the
> date in this format.
>
> Feb 8 09:13:32 CST:  (there is one space at the end)
>
>  When I use the following syntax, it doesn't match as expected.
>
> ^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s
>
> I know this is the correct pattern because it works just fine on
> www.regexpal.com. I did some further testing and I have narrowed it down
> to the below ...
>
> ^\w+
> 8 09:55:54 CST:  (this seemed to also remove the space behind the month)
>
> ^\w+\s
> 8 09:59:37 CST:  (notice this is the exact same as the above without the
> beginning space)
>
> ^\w+\s\d+
> Feb 8 10:07:04 CST:  (doesn't match anything as though the space between
> Feb and 8 isn't there)
>
> ^\w+\d+
> Feb 8 10:11:54 CST:  (again doesn't match anything as though there is a
> space between Feb and 8)
>
> So it seems to be something either with \w word class or the + quantifier
> and it somehow eats the space behind it possibly?? I am running 3.19.1 on
> Centos 7.
>
> Can anyone test this to confirm it isn't just local to my install for
> whatever reason?
>
> Regards,
> Max
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190208/4a249168/attachment.html>

More information about the syslog-ng mailing list