2

I need to extract the profile for these syslog entries.

May 11 09:35:59 server-0548 ea_appserver: env=ACPT profile=product_api java[31185]: 2017-05-11 09:35:59,210 server-0548 org.hibernate.internal.SessionFactoryImpl ServerService Thread Pool -- 51 HHH000008: JTASessionContext being used with JDBCTransactionFactory; auto-flush will not operate correctly with getCurrentSession()

The following regex works for PCRE but I can't seem to convert it over to POSIX.

(?m)profile=(\S+)

I've tried

[^=]*$

and

.*profile=(.*)

but can't get either to stop at just product_api

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
Naveen
  • 23
  • 3
  • Try `profile=([^[:space:]]+)` if you really need a POSIX ERE regex. Please show or tell us how and where you are using this regex. – Wiktor Stribiżew May 12 '17 at 19:39
  • We are using this on a farm of heavyforwarders for Splunk. The regex is to help sort the data prior to ingesting it into Splunk. This will help keep the data sorted for faster access and allow us to put different retention periods. So were are using rsyslog. The below piece is from the 20-nmon-performance.conf file. – Naveen May 15 '17 at 14:14
  • set $!usr!fullprofile = re_extract($msg,'profile=([^[:space:]]+)',0,0,'no-profile'); set $!usr!profile = re_extract($!usr!fullprofile,'[^=]*$',0,0,'no-profile'); ################################ # Logic to split all app data by environment type ################################ $template prodLogs,"/vcaclog/PROD/%$!usr!profile%/%HOSTNAME%/%programname%.log" $template if $msg contains 'env=PROD' then { if $programname startswith 'ea_appserver' then ?prodLogs & stop if $programname startswith 'ea_loadbalancer' then ?prodLogs – Naveen May 15 '17 at 14:16
  • Ok, just tested my solution at http://www.rsyslog.com/regex/, and it output `product_api` when I set *Submatch to Use* to `1`. – Wiktor Stribiżew May 15 '17 at 14:16
  • 1
    So profile=([^[:space:]]+) worked perfectly. Thanks so much! – Naveen May 15 '17 at 14:17

1 Answers1

1

POSIX ERE does not support inline regex modifiers, and shorthand character classes are not always supported. Note that even in your (?m)profile=(\S+) PCRE regex, the (?m) MULTILINE modifier is redudant as there is no ^, nor $ to redfine the behavior of. What you may use is a POSIX character class [:space:] (matching any whitespace) inside a negated bracket expression:

profile=([^[:space:]]+)

Details:

  • profile= - a literal substring
  • ([^[:space:]]+) - Group 1: one or more characters other than those that can be matched with [:space:] POSIX character class.
Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563