I have following messages
1)"customer1"," 5","0","".....
2)"customer2"," 5","0",""....
3)"customer3"," 5","0",""...
4)""," 5","0",""
5)""," 5","0",""
What I want to achieve is based on first value in double quotes I want to create folders and then writing logs in the respective folder only and whenever double quote is blank send those logs in Others folder.With the following configuration I am able to create folder like (customer1,customer2 and customer3). Problem Occurs when I have blank value at the first place like log 4 and 5.
syslog-ng.conf
filter c1 {match('(^"")' flags("store-matches") type("pcre") value("MESSAGE") );}; destination d1 {file("/opt/data/cef/other/${DAY}${MONTH}${YEAR}_other.log");}; log {source(s_udp);filter(c1);destination(d1);};
filter c2 {match('(?<=")([\w\s]*)(?=")' flags("store-matches") type("pcre") value("MESSAGE") );}; destination d2 {file("/opt/data/cef/$1/${DAY}${MONTH}${YEAR}_$1.log");}; log {source(s_udp);filter(c2);destination(d2);};
First filter checks if the first double quote is empty or just like "" and it writes those logs into Others folder.Problem is with the second filter it matches everything between "". So it works fine if it has value but misbehave if it is empty .So it writes this log into a file with the name 03_06_2017.log in /opt/data/cef folder. I am not sure why it is creating a separate file .
Please help .
Regards VG
