MonitorWare Knowledge Base

I see that I can use regular expressions to parse messages to drop into the database, but I can't seem to figure out how to do what I need to do.

Say I have a message like so:

field1A,field1B field2A,field2B,field2C

So, there are commas and spaces, so I cannot use a field seperator.

Say I wanted to extract field2B. How could I do that? It seems with the regular expression matching, it will only find the portion that matches an entire regular expression.. not a submatch within the expression.

So I'd like to do something like %msg:R:^.*,.*\s.*,(.*)--end%
and get the submatch. Is that possible? I'd be nice to have something.. maybe a whole new directive.. to parse a message using a single regexp, sprinkle in submatches, and then use them as fields for my database inserts like:

$regexpTemplate myRegExpTemplate,/^stuff\s(\w+):\s(\w+)/

$template mySQLTemplate,"INSERT INTO syslog(col1, col2) VALUES ('%match:1%', '%match:2%')",SQL,myRegExpTemplate


Thanks

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Sorry, that's not an option with the current code. It will be possible (by virtue of a library module) once expressions support custom function libraries (hopefully within the next month). I invite you to add a feature request to the bugzilla: http://bugzilla.adiscon.com

Rainer