rsyslog: regex extract between 2 strings

Question

I want to extract a substring of msg field between 2 strings.

Example of the log: Test local logging: db=testdb,message

What I want is "testdb", so, the string between "db=" and ","

This is my configuration:

template(name="jsonTemplate"
         type="list"
         option.json="on") {
           constant(value="{")
             constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
             constant(value="\",\"message\":\"")     property(name="msg")
             constant(value="\",\"host\":\"")        property(name="hostname")
             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
             constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
             constant(value="\",\"database\":\"")    property(name="msg" regex.expression="(db=)(.*)(,)" regex.match="0" regex.type="ERE")
           constant(value="\"}")
         }

However, the result I got is: "db=testdb,", but I don't want "db=" and "," to appear.

I've tested several regex but didn't worked:

(?<=db=)(.*)(?=,) --> this works in https://regex101.com

I don't understand why the regex doesn't work.

Version: rsyslogd: version 8.24.0

score 0 · Answer 1 · answered Jan 21 '22 at 16:43

0

Found the solution using the submatch 2:

property(name="msg" regex.expression="(db=)(.*)(,)" regex.submatch="2" regex.type="ERE")

answered Jan 21 '22 at 16:43

dcop7

1

rsyslog: regex extract between 2 strings

1 Answers1