diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/property_replacer.html | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/doc/property_replacer.html b/doc/property_replacer.html index b6eaae0f..86d28274 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -207,13 +207,18 @@ sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%"</p> <p>It is possible to specify some parametes after the "R". These are comma-separated. They are: -<p>R,<regexp-type>,<submatch>,<nomatch> +<p>R,<regexp-type>,<submatch>,<nomatch>,<match-number> <p>regexp-type is either "BRE" for Posix basic regular expressions or "ERE" for extended ones. The string must be given in upper case. The default is "BRE" to be consistent with earlier versions of rsyslog that did not support ERE. The submatch identifies the submatch to be used with the result. A single digit is supported. Match 0 is the full match, -while 1 to 9 are the acutal submatches. +while 1 to 9 are the acutal submatches. The match-number identifies which match to +use, if the expression occurs more than once inside the string. Please note +that the first match is number 0, the second 1 and so on. Up to 10 matches +(up to number 9) are supported. Please note that it would be more +natural to have the match-number in front of submatch, but this would break +backward-compatibility. So the match-number must be specified after "nomatch". <p>nomatch is either "DFLT", "BLANK" or "FIELD" (all upper case!). It tells what to use if no match is found. With "DFLT", the strig "**NO MATCH**" is used. This was the only supported value up to rsyslog 3.19.5. With "BLANK" @@ -224,6 +229,8 @@ to be useful. submatch from the message string and replaces the expression with the full field if no match is found: <p>%msg:R,ERE,1,FIELD:for (vlan[0-9]*):--end% +<p>and this takes the first submatch of the second match of said expression: +<p>%msg:R,ERE,1,FIELD,1:for (vlan[0-9]*):--end% <p><b>Also, extraction can be done based on so-called "fields"</b>. To do so, place a "F" into FromChar. A field in its current definition is anything that is delimited by a delimiter |