MonitorWare Knowledge Base

Your first source for knowledge

Skip to content

RegEx POSIX limitation problem - positive lookbehind

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Post a reply

RegEx POSIX limitation problem - positive lookbehind

Postby t.reisinger on Sun Sep 28, 2008 3:33 pm

Hi,

I want to extract several values from a syslog message with RegEx. I was able to create the correct RegEx using 'positive lookbehind' to get for example:

Syslog message
Code: Select all
CallLegType 2, ConnectionId C50604798C2E11DDA3F9C203B891A4DE, SetupTime 21:53:59.301 ADT Sat Sep 27 2008, PeerAddress 400, PeerSubAddress , DisconnectCause 10, DisconnectText normal call clearing (16), ConnectTime 21:53:59.351 ADT Sat Sep 27 2008, DisconnectTime 21:54:02.311 ADT Sat Sep 27 2008, CallOrigin 1, ChargedUnits 0, InfoType 2, TransmitPackets 146, TransmitBytes 23360, ReceivePackets 134, ReceiveBytes 21281

Code: Select all
(?<=CallLegType )[0-9]*   CallLegType     finds 2
(?<=ConnectionId )\w*     ConnectionId    finds C50604798C2E11DDA3F9C203B891A4DE


I used
Code: Select all
extract: '%msg:R:(?<=CallLegType )[0-9]*--end%','%msg:R:(?<=ConnectionId )\w*--end%')
in rsyslog and it loaded find (was recognized in debug mode). In the database/text log I see only NO MATCH. I believe it's a problem with the rsyslog supported RegEx POSIX engine limitation. Can somebody confirm this?

Unfortunately I'm not the RegEx guru and want to ask, if there is a way to modify my positive lookbehind to conform POSIX expression?

Fields are not the right tool to extract the values because I have the field description AND value between the commas:

Code: Select all
ChargedUnits 0, InfoType 2, TransmitPackets 146,


I would really appreciate your feedback/support.

Thomas
t.reisinger
New
 
Posts: 9
Joined: Mon Sep 22, 2008 12:09 pm
Top

Professional Services Information

  • Custom written rsyslog.conf?
  • Maintenance Contract?
  • Installation support?

Re: RegEx POSIX limitation problem - positive lookbehind

Postby rgerhards on Mon Sep 29, 2008 10:43 am

sorry, I am not a regex guy either, but I think you need ERE expressions, not BRE ones (the default). That would be R,ERE. For the full syntax, please read here:

http://www.rsyslog.com/doc-property_replacer.html

I'd appreciate if you let me know if that works and, if so, via which directive (that would be useful for others too).

Rainer
User avatar
rgerhards
Site Admin
 
Posts: 1780
Joined: Thu Feb 13, 2003 11:57 am
Top

Re: RegEx POSIX limitation problem - positive lookbehind

Postby t.reisinger on Tue Sep 30, 2008 1:32 am

Hi,

I verified the POSIX standard and either ERE or BRE supports positive lookbehind. To be sure I tested it:
Code: Select all
'%msg:R,ERE,1,DFLT:(?<=CallLegType )[0-9]*--end%','%msg:R,ERE,1,DFLT:(?<=ConnectionId )\w*
--end%')


NO MATCH :(
t.reisinger
New
 
Posts: 9
Joined: Mon Sep 22, 2008 12:09 pm
Top

Re: RegEx POSIX limitation problem - positive lookbehind

Postby rgerhards on Tue Sep 30, 2008 7:37 am

I am sorry, I just call the API - maybe it does not fully implement everything that Posix specifies? I do not specifically turn anything off.
User avatar
rgerhards
Site Admin
 
Posts: 1780
Joined: Thu Feb 13, 2003 11:57 am
Top

Google Ads

Post a reply

Return to Configuration

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
phpBB SEO

Time : 0.024s | 14 Queries | GZIP : On
cron