rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-20 03:50:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

improved doc on property replacer regular expressions

Browse Source
This commit is contained in:
Rainer Gerhards 2008-11-11 11:38:37 +01:00
parent 170d0d6f37
commit 249b27952a
3 changed files with 41 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/Makefile.am
View File

@ -105,6 +105,7 @@ html_files = \
rsyslog_conf_modules.html \
rsyslog_conf_output.html \
rsyslog_conf_templates.html \
rsyslog_conf_nomatch.html \
src/classes.dia
EXTRA_DIST = $(html_files)

10
doc/property_replacer.html
View File

@ -229,7 +229,7 @@ sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\)
\[.*--end%"</p>
<p>It is possible to specify some parametes after the "R". These are
comma-separated. They are:
<p>R,&lt;regexp-type&gt;,&lt;submatch&gt;,&lt;nomatch&gt;,&lt;match-number&gt;
<p>R,&lt;regexp-type&gt;,&lt;submatch&gt;,&lt;<a href="rsyslog_conf_nomatch.html">nomatch</a>&gt;,&lt;match-number&gt;
<p>regexp-type is either "BRE" for Posix basic regular expressions or
"ERE" for extended ones. The string must be given in upper case. The
default is "BRE" to be consistent with earlier versions of rsyslog that
@ -241,12 +241,8 @@ that the first match is number 0, the second 1 and so on. Up to 10 matches
(up to number 9) are supported. Please note that it would be more
natural to have the match-number in front of submatch, but this would break
backward-compatibility. So the match-number must be specified after "nomatch".
<p>nomatch is either "DFLT", "BLANK" or "FIELD" (all upper case!). It tells
what to use if no match is found. With "DFLT", the strig "**NO MATCH**" is
used. This was the only supported value up to rsyslog 3.19.5. With "BLANK"
a blank text is used (""). Finally, "FIELD" uses the full property text
instead of the expression. Some folks have requested that, so it seems
to be useful.
<p><a href="rsyslog_conf_nomatch.html">nomatch</a> specifies what should
be used in case no match is found.
<p>The following is a sample of an ERE expression that takes the first
submatch from the message string and replaces the expression with
the full field if no match is found:

37
doc/rsyslog_conf_nomatch.html Normal file
View File

@ -0,0 +1,37 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>nomatch mode - property replacer - rsyslog.conf</title></head>
<body>
<h1>nomatch mode - property replacer - rsyslog.con</h1>
<p>This is a part of the <a href="rsyslog_conf.html">rsyslog.conf documentation</a>
of the <a href="property_replacer.html">property replacer</a>.</p>
<p><b>The "nomatch-Mode" specifies which string the property replacer
shall return if a regular expression did not find the search string.</b>. Traditionally,
the string "**NO MATCH**" was returned, but many people complained this was almost never useful.
Still, this mode is support as "<b>DFLT</b>" for legacy configurations.
<p>Two additional and potentially useful modes exist: in one (<b>BLANK</b>) a blank string
is returned. This is probably useful for inserting values into databases where no
value shall be inserted if the expression could not be found. A use case may be
that you record a traffic log based on firewall rules and the "bytes transmitted" counter
is extracted via a regular expression. If no "bytes transmitted" counter is available
in the current message, it is probably a good idea to return an empty string, which the
database layer can turn into a zero.
<p>The other mode is "<b>FIELD</b>", in which the complete field is returned. This may be useful
in cases where absense of a match is considered a failure and the message that triggered
it shall be logged.
<p>If in doubt, <b>it is highly suggested to use the
<a href="http://www.rsyslog.com/tool-regex">rsyslog online regular expression
checker and generator</a> to see these options in action</b>. With that online tool,
you can craft regular expressions based on samples and try out the different modes.
<p>[<a href="manual.html">manual index</a>]
[<a href="rsyslog_conf.html">rsyslog.conf</a>]
[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
</html>