[syslog-ng] issues with rewrite and subst
Antal Nemes (anemes)
Antal.Nemes at oneidentity.com
Tue Apr 14 05:49:07 UTC 2020
Hello,
You need double escaping:
With this version, it worked for me:
rewrite { subst("^.+\\((.+)\\)", "${1}", value("user_name")) ;};
Br,
Antal
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Russell Fulton <r.fulton at auckland.ac.nz>
Sent: Sunday, April 12, 2020 23:03
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] issues with rewrite and subst
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
version 3.26.1
I am attempting to use rewrite to copy part of one macro into a new one:
rewrite r_user1 { set( "${user}", value("user_name"));};
rewrite r_user2 { subst( "^.+\((.+)\)", "${1}", value("user_name")) ;};
The first simply copies user into user_name.
The second is intended to extract anything in parentheses and throw away the rest.
here is a cleaned up dump of json output including the macros from the regexp:
{"user_name":")","user”:”yyyyn at gmail.com(xxx549)","2":")","1":")","0”:”yyyy at gmail.com(xxx549)”}
I believe ‘1’ should contain ‘xxx549’ not ‘)’.
I have tested the regexpn in ruby’s irb and it works fine there.
here is another example this one where the regexp should not have matched at all:
{"user_name":"9","user":"ping999","2":"9","1":"9","0":"ping999”}
macros 1 and 2 always seem to contain the last character of the original string.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200414/77b13ea9/attachment.html>
More information about the syslog-ng
mailing list