From 99f18190a1f911224d45ca61706ae3fbc9ad7a80 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 29 May 2008 12:48:15 +0200 Subject: enhanced property replacer's regex to support submatches - enabled Posix ERE expressions inside the property replacer (previously BRE was permitted only) - provided ability to specify that a regular expression submatch shall be used inside the property replacer --- doc/property_replacer.html | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'doc/property_replacer.html') diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 4fa7ee4a..992bf8e0 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -204,8 +204,19 @@ not become part of it. If you are using regular expressions, the property replacer will return the part of the property text that matches the regular expression. An example for a property replacer sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\) -\[.*--end%"
-

+\[.*--end%"

+

It is possible to specify some parametes after the "R". These are +comma-separated. They are: +

R,<regexp-type>,<submatch> +

regexp-type is either "BRE" for Posix basic regular expressions or +"ERE" for extended ones. The string must be given in upper case. The +default is "BRE" to be consistent with earlier versions of rsyslog that +did not support ERE. The submatch identifies the submatch to be used +with the result. A single digit is supported. Match 0 is the full match, +while 1 to 9 are the acutal submatches. +

The following is a sample of an ERE expression that takes the first +submatch from the message string: +

%msg:R,ERE,1:for (vlan[0-9]*):--end%

Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field in its current definition is anything that is delimited by a delimiter -- cgit