From 6a815063f37e7126f63fa00038f2d050574a6d52 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 30 May 2008 15:18:03 +0200 Subject: capability for replacement text in no match regex case added implemented in property replacer: if a regular expression does not match, it can now either return "**NO MATCH** (default, as before), a blank property or the full original property text --- doc/property_replacer.html | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'doc/property_replacer.html') diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 992bf8e0..b6eaae0f 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -207,16 +207,23 @@ sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%"

It is possible to specify some parametes after the "R". These are comma-separated. They are: -

R,<regexp-type>,<submatch> +

R,<regexp-type>,<submatch>,<nomatch>

regexp-type is either "BRE" for Posix basic regular expressions or "ERE" for extended ones. The string must be given in upper case. The default is "BRE" to be consistent with earlier versions of rsyslog that did not support ERE. The submatch identifies the submatch to be used with the result. A single digit is supported. Match 0 is the full match, while 1 to 9 are the acutal submatches. +

nomatch is either "DFLT", "BLANK" or "FIELD" (all upper case!). It tells +what to use if no match is found. With "DFLT", the strig "**NO MATCH**" is +used. This was the only supported value up to rsyslog 3.19.5. With "BLANK" +a blank text is used (""). Finally, "FIELD" uses the full property text +instead of the expression. Some folks have requested that, so it seems +to be useful.

The following is a sample of an ERE expression that takes the first -submatch from the message string: -

%msg:R,ERE,1:for (vlan[0-9]*):--end% +submatch from the message string and replaces the expression with +the full field if no match is found: +

%msg:R,ERE,1,FIELD:for (vlan[0-9]*):--end%

Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field in its current definition is anything that is delimited by a delimiter -- cgit