MonitorWare Knowledge Base

Hi,

I want to extract several values from a syslog message with RegEx. I was able to create the correct RegEx using 'positive lookbehind' to get for example:

Syslog message

Code: Select all

CallLegType 2, ConnectionId C50604798C2E11DDA3F9C203B891A4DE, SetupTime 21:53:59.301 ADT Sat Sep 27 2008, PeerAddress 400, PeerSubAddress , DisconnectCause 10, DisconnectText normal call clearing (16), ConnectTime 21:53:59.351 ADT Sat Sep 27 2008, DisconnectTime 21:54:02.311 ADT Sat Sep 27 2008, CallOrigin 1, ChargedUnits 0, InfoType 2, TransmitPackets 146, TransmitBytes 23360, ReceivePackets 134, ReceiveBytes 21281

Code: Select all

(?<=CallLegType )[0-9]*   CallLegType     finds 2
(?<=ConnectionId )\w*     ConnectionId    finds C50604798C2E11DDA3F9C203B891A4DE


I used

Code: Select all

extract: '%msg:R:(?<=CallLegType )[0-9]*--end%','%msg:R:(?<=ConnectionId )\w*--end%')

in rsyslog and it loaded find (was recognized in debug mode). In the database/text log I see only NO MATCH. I believe it's a problem with the rsyslog supported RegEx POSIX engine limitation. Can somebody confirm this?

Unfortunately I'm not the RegEx guru and want to ask, if there is a way to modify my positive lookbehind to conform POSIX expression?

Fields are not the right tool to extract the values because I have the field description AND value between the commas:

Code: Select all

ChargedUnits 0, InfoType 2, TransmitPackets 146,

I would really appreciate your feedback/support.

Thomas

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi,

I verified the POSIX standard and either ERE or BRE supports positive lookbehind. To be sure I tested it:

Code: Select all

'%msg:R,ERE,1,DFLT:(?<=CallLegType )[0-9]*--end%','%msg:R,ERE,1,DFLT:(?<=ConnectionId )\w*
--end%')


NO MATCH