From james.lay at wincofoods.com  Fri Dec  2 15:51:47 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 07:51:47 -0700
Subject: [Lognorm] Question on special characters
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local>

Any movement on this?  I am unable to move forward with rule creation
for one of my devices until this is ironed out.  Thank you.

 

James

 

From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Lay, James
Sent: Thursday, November 24, 2011 11:32 AM
To: lognorm at lists.adiscon.com
Subject: [Lognorm] Question on special characters

 

Hey all!

 

So...I think I'm getting down to the bottom of something that I've had
an issue with.  Here's some tests:

 

Log contents to pass to normalizer, blick.txt:

Test one)

 

Rulebase file blick-rulebase:

prefix=

rule=: Test one)

 

normalizer -r blick-rulebase < blick.txt

this works, and returns nothing, since no normalizing was required (as I
understand it).

 

 

 

Now...if I make the below change to the blick-rulebase file:

 

prefix=

rule=: Test %-:word%)

 

normalizer -r blick-rulebase < blick.txt

[cee at 115 originalmsg=" Test one)" unparsed-data=" "]

 

Then it looks like something isn't working.

 

 

 

If I remove the ")" in both blick.txt and blick-rulebase to reflect:

Test one

 

prefix=

rule=: Test %-:word%

 

then it works:

normalizer -r blick-rulebase < blick.txt

[cee at 115 -="one"]

 

This seems to happen with matching %word% within parenthesis.  Is there
something I can do to check this on my end?  Thank you.

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111202/f48dbf00/attachment.htm>

From rgerhards at hq.adiscon.com  Fri Dec  2 15:54:04 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 15:54:04 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com>

Sorry...all of my time has been taken by that journald proposal. I hope to
resume regular work next week...

rainer

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 3:52 PM
> To: lognorm at lists.adiscon.com
> Subject: Re: [Lognorm] Question on special characters
> 
> Any movement on this?  I am unable to move forward with rule creation for
> one of my devices until this is ironed out.  Thank you.
> 
> 
> 
> James
> 
> 
> 
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Thursday, November 24, 2011 11:32 AM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] Question on special characters
> 
> 
> 
> Hey all!
> 
> 
> 
> So...I think I'm getting down to the bottom of something that I've had an
> issue with.  Here's some tests:
> 
> 
> 
> Log contents to pass to normalizer, blick.txt:
> 
> Test one)
> 
> 
> 
> Rulebase file blick-rulebase:
> 
> prefix=
> 
> rule=: Test one)
> 
> 
> 
> normalizer -r blick-rulebase < blick.txt
> 
> this works, and returns nothing, since no normalizing was required (as I
> understand it).
> 
> 
> 
> 
> 
> 
> 
> Now...if I make the below change to the blick-rulebase file:
> 
> 
> 
> prefix=
> 
> rule=: Test %-:word%)
> 
> 
> 
> normalizer -r blick-rulebase < blick.txt
> 
> [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> 
> 
> 
> Then it looks like something isn't working.
> 
> 
> 
> 
> 
> 
> 
> If I remove the ")" in both blick.txt and blick-rulebase to reflect:
> 
> Test one
> 
> 
> 
> prefix=
> 
> rule=: Test %-:word%
> 
> 
> 
> then it works:
> 
> normalizer -r blick-rulebase < blick.txt
> 
> [cee at 115 -="one"]
> 
> 
> 
> This seems to happen with matching %word% within parenthesis.  Is there
> something I can do to check this on my end?  Thank you.
> 
> 
> 
> James


From james.lay at wincofoods.com  Fri Dec  2 16:16:33 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 08:16:33 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local>
	<9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local>

Thanks Rainer....is there anything I can do on my end to troubleshoot or
make things easier?

James

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, December 02, 2011 7:54 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> Sorry...all of my time has been taken by that journald proposal. I
hope to
> resume regular work next week...
> 
> rainer
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Friday, December 02, 2011 3:52 PM
> > To: lognorm at lists.adiscon.com
> > Subject: Re: [Lognorm] Question on special characters
> >
> > Any movement on this?  I am unable to move forward with rule
creation for
> > one of my devices until this is ironed out.  Thank you.
> >
> >
> >
> > James
> >
> >
> >
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Thursday, November 24, 2011 11:32 AM
> > To: lognorm at lists.adiscon.com
> > Subject: [Lognorm] Question on special characters
> >
> >
> >
> > Hey all!
> >
> >
> >
> > So...I think I'm getting down to the bottom of something that I've
had an
> > issue with.  Here's some tests:
> >
> >
> >
> > Log contents to pass to normalizer, blick.txt:
> >
> > Test one)
> >
> >
> >
> > Rulebase file blick-rulebase:
> >
> > prefix=
> >
> > rule=: Test one)
> >
> >
> >
> > normalizer -r blick-rulebase < blick.txt
> >
> > this works, and returns nothing, since no normalizing was required
(as I
> > understand it).
> >
> >
> >
> >
> >
> >
> >
> > Now...if I make the below change to the blick-rulebase file:
> >
> >
> >
> > prefix=
> >
> > rule=: Test %-:word%)
> >
> >
> >
> > normalizer -r blick-rulebase < blick.txt
> >
> > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> >
> >
> >
> > Then it looks like something isn't working.
> >
> >
> >
> >
> >
> >
> >
> > If I remove the ")" in both blick.txt and blick-rulebase to reflect:
> >
> > Test one
> >
> >
> >
> > prefix=
> >
> > rule=: Test %-:word%
> >
> >
> >
> > then it works:
> >
> > normalizer -r blick-rulebase < blick.txt
> >
> > [cee at 115 -="one"]
> >
> >
> >
> > This seems to happen with matching %word% within parenthesis.  Is
there
> > something I can do to check this on my end?  Thank you.
> >
> >
> >
> > James
> 
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From rgerhards at hq.adiscon.com  Fri Dec  2 16:18:56 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 16:18:56 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 4:17 PM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> Thanks Rainer....is there anything I can do on my end to troubleshoot or
> make things easier?

Get me a 36 hr day ;-) Let me check on the original question, maybe I see it.
Did you try with liblognorm's normalizer tool in verbose (-v) mode - that is
often quite educating.

Rainer

> 
> James
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Friday, December 02, 2011 7:54 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > Sorry...all of my time has been taken by that journald proposal. I
> hope to
> > resume regular work next week...
> >
> > rainer
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Friday, December 02, 2011 3:52 PM
> > > To: lognorm at lists.adiscon.com
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > Any movement on this?  I am unable to move forward with rule
> creation for
> > > one of my devices until this is ironed out.  Thank you.
> > >
> > >
> > >
> > > James
> > >
> > >
> > >
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Thursday, November 24, 2011 11:32 AM
> > > To: lognorm at lists.adiscon.com
> > > Subject: [Lognorm] Question on special characters
> > >
> > >
> > >
> > > Hey all!
> > >
> > >
> > >
> > > So...I think I'm getting down to the bottom of something that I've
> had an
> > > issue with.  Here's some tests:
> > >
> > >
> > >
> > > Log contents to pass to normalizer, blick.txt:
> > >
> > > Test one)
> > >
> > >
> > >
> > > Rulebase file blick-rulebase:
> > >
> > > prefix=
> > >
> > > rule=: Test one)
> > >
> > >
> > >
> > > normalizer -r blick-rulebase < blick.txt
> > >
> > > this works, and returns nothing, since no normalizing was required
> (as I
> > > understand it).
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Now...if I make the below change to the blick-rulebase file:
> > >
> > >
> > >
> > > prefix=
> > >
> > > rule=: Test %-:word%)
> > >
> > >
> > >
> > > normalizer -r blick-rulebase < blick.txt
> > >
> > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > >
> > >
> > >
> > > Then it looks like something isn't working.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > If I remove the ")" in both blick.txt and blick-rulebase to reflect:
> > >
> > > Test one
> > >
> > >
> > >
> > > prefix=
> > >
> > > rule=: Test %-:word%
> > >
> > >
> > >
> > > then it works:
> > >
> > > normalizer -r blick-rulebase < blick.txt
> > >
> > > [cee at 115 -="one"]
> > >
> > >
> > >
> > > This seems to happen with matching %word% within parenthesis.  Is
> there
> > > something I can do to check this on my end?  Thank you.
> > >
> > >
> > >
> > > James
> >
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 16:29:49 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 08:29:49 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local>
	<9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local>

LoL...36 seems a little beefy ;)  Ok...here's the -v output....very
interesting!  Thanks again Rainer.

liblognorm: read sample line: 'prefix='
liblognorm: read sample line: 'rule=: Test %-:word%) '
liblognorm: sample line to add: ': Test %-:word%) '

liblognorm: addSampToTree 0 of 16
liblognorm: parsed literal: ' Test '
liblognorm: buildPTree: begin at 0x8c15030, offs 0
liblognorm: case 3.1
liblognorm: addPTree: offs 0
liblognorm: setPrefix lenBuf 6, offs 0
liblognorm: addSampToTree 6 of 16
liblognorm: parsed field: '-'
liblognorm: got new subtree 0x8c157a0
liblognorm: prev subtree 0x8c15030
liblognorm: new subtree 0x8c157a0
liblognorm: addSampToTree 14 of 16
liblognorm: parsed literal: ') '
liblognorm: buildPTree: begin at 0x8c157a0, offs 0
liblognorm: case 3.1
liblognorm: addPTree: offs 0
liblognorm: setPrefix lenBuf 2, offs 0
liblognorm: end addSampToTree 16 of 16
number of tree nodes: 2
To normalize: ' Test one) '
liblognorm: 0: prefix compare ' ', ' '
liblognorm: 1: prefix compare 'T', 'T'
liblognorm: 2: prefix compare 'e', 'e'
liblognorm: 3: prefix compare 's', 's'
liblognorm: 4: prefix compare 't', 't'
liblognorm: 5: prefix compare ' ', ' '
liblognorm: 6: prefix compare succeeded, still valid
liblognorm: 6:trying parser for field '-': 0xb77c4930
liblognorm: potential hit, trying subtree
liblognorm: 10: prefix compare ' ', ')'
liblognorm: 10 returns 1
liblognorm: 6 nonmatch, backtracking required, left=1
liblognorm: 6 no field, trying subtree char 'o': (nil)
liblognorm: 6 returns 1
liblognorm: final result for normalizer: left 1, endNode 0xbfc09dd0
normalized: '[cee at 115 originalmsg=" Test one) " unparsed-data=" "]'
[cee at 115 originalmsg=" Test one) " unparsed-data=" "]

James

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, December 02, 2011 8:19 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Friday, December 02, 2011 4:17 PM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > Thanks Rainer....is there anything I can do on my end to
troubleshoot or
> > make things easier?
> 
> Get me a 36 hr day ;-) Let me check on the original question, maybe I
see it.
> Did you try with liblognorm's normalizer tool in verbose (-v) mode -
that is
> often quite educating.
> 
> Rainer
> 
> >
> > James
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > Sent: Friday, December 02, 2011 7:54 AM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > Sorry...all of my time has been taken by that journald proposal. I
> > hope to
> > > resume regular work next week...
> > >
> > > rainer
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > To: lognorm at lists.adiscon.com
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > Any movement on this?  I am unable to move forward with rule
> > creation for
> > > > one of my devices until this is ironed out.  Thank you.
> > > >
> > > >
> > > >
> > > > James
> > > >
> > > >
> > > >
> > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > To: lognorm at lists.adiscon.com
> > > > Subject: [Lognorm] Question on special characters
> > > >
> > > >
> > > >
> > > > Hey all!
> > > >
> > > >
> > > >
> > > > So...I think I'm getting down to the bottom of something that
I've
> > had an
> > > > issue with.  Here's some tests:
> > > >
> > > >
> > > >
> > > > Log contents to pass to normalizer, blick.txt:
> > > >
> > > > Test one)
> > > >
> > > >
> > > >
> > > > Rulebase file blick-rulebase:
> > > >
> > > > prefix=
> > > >
> > > > rule=: Test one)
> > > >
> > > >
> > > >
> > > > normalizer -r blick-rulebase < blick.txt
> > > >
> > > > this works, and returns nothing, since no normalizing was
required
> > (as I
> > > > understand it).
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Now...if I make the below change to the blick-rulebase file:
> > > >
> > > >
> > > >
> > > > prefix=
> > > >
> > > > rule=: Test %-:word%)
> > > >
> > > >
> > > >
> > > > normalizer -r blick-rulebase < blick.txt
> > > >
> > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > >
> > > >
> > > >
> > > > Then it looks like something isn't working.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > If I remove the ")" in both blick.txt and blick-rulebase to
reflect:
> > > >
> > > > Test one
> > > >
> > > >
> > > >
> > > > prefix=
> > > >
> > > > rule=: Test %-:word%
> > > >
> > > >
> > > >
> > > > then it works:
> > > >
> > > > normalizer -r blick-rulebase < blick.txt
> > > >
> > > > [cee at 115 -="one"]
> > > >
> > > >
> > > >
> > > > This seems to happen with matching %word% within parenthesis.
Is
> > there
> > > > something I can do to check this on my end?  Thank you.
> > > >
> > > >
> > > >
> > > > James
> > >
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From rgerhards at hq.adiscon.com  Fri Dec  2 16:33:52 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 16:33:52 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com>

I'll have a look soon, just wanted to add that -vv gives you even more info
(probably more than you ever want ;))
rainer

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 4:30 PM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> LoL...36 seems a little beefy ;)  Ok...here's the -v output....very
interesting!
> Thanks again Rainer.
> 
> liblognorm: read sample line: 'prefix='
> liblognorm: read sample line: 'rule=: Test %-:word%) '
> liblognorm: sample line to add: ': Test %-:word%) '
> 
> liblognorm: addSampToTree 0 of 16
> liblognorm: parsed literal: ' Test '
> liblognorm: buildPTree: begin at 0x8c15030, offs 0
> liblognorm: case 3.1
> liblognorm: addPTree: offs 0
> liblognorm: setPrefix lenBuf 6, offs 0
> liblognorm: addSampToTree 6 of 16
> liblognorm: parsed field: '-'
> liblognorm: got new subtree 0x8c157a0
> liblognorm: prev subtree 0x8c15030
> liblognorm: new subtree 0x8c157a0
> liblognorm: addSampToTree 14 of 16
> liblognorm: parsed literal: ') '
> liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> liblognorm: case 3.1
> liblognorm: addPTree: offs 0
> liblognorm: setPrefix lenBuf 2, offs 0
> liblognorm: end addSampToTree 16 of 16
> number of tree nodes: 2
> To normalize: ' Test one) '
> liblognorm: 0: prefix compare ' ', ' '
> liblognorm: 1: prefix compare 'T', 'T'
> liblognorm: 2: prefix compare 'e', 'e'
> liblognorm: 3: prefix compare 's', 's'
> liblognorm: 4: prefix compare 't', 't'
> liblognorm: 5: prefix compare ' ', ' '
> liblognorm: 6: prefix compare succeeded, still valid
> liblognorm: 6:trying parser for field '-': 0xb77c4930
> liblognorm: potential hit, trying subtree
> liblognorm: 10: prefix compare ' ', ')'
> liblognorm: 10 returns 1
> liblognorm: 6 nonmatch, backtracking required, left=1
> liblognorm: 6 no field, trying subtree char 'o': (nil)
> liblognorm: 6 returns 1
> liblognorm: final result for normalizer: left 1, endNode 0xbfc09dd0
> normalized: '[cee at 115 originalmsg=" Test one) " unparsed-data=" "]'
> [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> 
> James
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Friday, December 02, 2011 8:19 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Friday, December 02, 2011 4:17 PM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > Thanks Rainer....is there anything I can do on my end to
> troubleshoot or
> > > make things easier?
> >
> > Get me a 36 hr day ;-) Let me check on the original question, maybe I
> see it.
> > Did you try with liblognorm's normalizer tool in verbose (-v) mode -
> that is
> > often quite educating.
> >
> > Rainer
> >
> > >
> > > James
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > Sorry...all of my time has been taken by that journald proposal. I
> > > hope to
> > > > resume regular work next week...
> > > >
> > > > rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > To: lognorm at lists.adiscon.com
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > Any movement on this?  I am unable to move forward with rule
> > > creation for
> > > > > one of my devices until this is ironed out.  Thank you.
> > > > >
> > > > >
> > > > >
> > > > > James
> > > > >
> > > > >
> > > > >
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > To: lognorm at lists.adiscon.com
> > > > > Subject: [Lognorm] Question on special characters
> > > > >
> > > > >
> > > > >
> > > > > Hey all!
> > > > >
> > > > >
> > > > >
> > > > > So...I think I'm getting down to the bottom of something that
> I've
> > > had an
> > > > > issue with.  Here's some tests:
> > > > >
> > > > >
> > > > >
> > > > > Log contents to pass to normalizer, blick.txt:
> > > > >
> > > > > Test one)
> > > > >
> > > > >
> > > > >
> > > > > Rulebase file blick-rulebase:
> > > > >
> > > > > prefix=
> > > > >
> > > > > rule=: Test one)
> > > > >
> > > > >
> > > > >
> > > > > normalizer -r blick-rulebase < blick.txt
> > > > >
> > > > > this works, and returns nothing, since no normalizing was
> required
> > > (as I
> > > > > understand it).
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Now...if I make the below change to the blick-rulebase file:
> > > > >
> > > > >
> > > > >
> > > > > prefix=
> > > > >
> > > > > rule=: Test %-:word%)
> > > > >
> > > > >
> > > > >
> > > > > normalizer -r blick-rulebase < blick.txt
> > > > >
> > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > >
> > > > >
> > > > >
> > > > > Then it looks like something isn't working.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > If I remove the ")" in both blick.txt and blick-rulebase to
> reflect:
> > > > >
> > > > > Test one
> > > > >
> > > > >
> > > > >
> > > > > prefix=
> > > > >
> > > > > rule=: Test %-:word%
> > > > >
> > > > >
> > > > >
> > > > > then it works:
> > > > >
> > > > > normalizer -r blick-rulebase < blick.txt
> > > > >
> > > > > [cee at 115 -="one"]
> > > > >
> > > > >
> > > > >
> > > > > This seems to happen with matching %word% within parenthesis.
> Is
> > > there
> > > > > something I can do to check this on my end?  Thank you.
> > > > >
> > > > >
> > > > >
> > > > > James
> > > >
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 16:38:16 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 08:38:16 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local>
	<9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local>

Thanks Rainer....tried with -vv and even -vvv...got the same info as
below.  I'll move on to other devices and backtrack to this one later.

James

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, December 02, 2011 8:34 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> I'll have a look soon, just wanted to add that -vv gives you even more
info
> (probably more than you ever want ;))
> rainer
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Friday, December 02, 2011 4:30 PM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > LoL...36 seems a little beefy ;)  Ok...here's the -v output....very
> interesting!
> > Thanks again Rainer.
> >
> > liblognorm: read sample line: 'prefix='
> > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > liblognorm: sample line to add: ': Test %-:word%) '
> >
> > liblognorm: addSampToTree 0 of 16
> > liblognorm: parsed literal: ' Test '
> > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > liblognorm: case 3.1
> > liblognorm: addPTree: offs 0
> > liblognorm: setPrefix lenBuf 6, offs 0
> > liblognorm: addSampToTree 6 of 16
> > liblognorm: parsed field: '-'
> > liblognorm: got new subtree 0x8c157a0
> > liblognorm: prev subtree 0x8c15030
> > liblognorm: new subtree 0x8c157a0
> > liblognorm: addSampToTree 14 of 16
> > liblognorm: parsed literal: ') '
> > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > liblognorm: case 3.1
> > liblognorm: addPTree: offs 0
> > liblognorm: setPrefix lenBuf 2, offs 0
> > liblognorm: end addSampToTree 16 of 16
> > number of tree nodes: 2
> > To normalize: ' Test one) '
> > liblognorm: 0: prefix compare ' ', ' '
> > liblognorm: 1: prefix compare 'T', 'T'
> > liblognorm: 2: prefix compare 'e', 'e'
> > liblognorm: 3: prefix compare 's', 's'
> > liblognorm: 4: prefix compare 't', 't'
> > liblognorm: 5: prefix compare ' ', ' '
> > liblognorm: 6: prefix compare succeeded, still valid
> > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > liblognorm: potential hit, trying subtree
> > liblognorm: 10: prefix compare ' ', ')'
> > liblognorm: 10 returns 1
> > liblognorm: 6 nonmatch, backtracking required, left=1
> > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > liblognorm: 6 returns 1
> > liblognorm: final result for normalizer: left 1, endNode 0xbfc09dd0
> > normalized: '[cee at 115 originalmsg=" Test one) " unparsed-data=" "]'
> > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> >
> > James
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > Sent: Friday, December 02, 2011 8:19 AM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > Thanks Rainer....is there anything I can do on my end to
> > troubleshoot or
> > > > make things easier?
> > >
> > > Get me a 36 hr day ;-) Let me check on the original question,
maybe I
> > see it.
> > > Did you try with liblognorm's normalizer tool in verbose (-v) mode
-
> > that is
> > > often quite educating.
> > >
> > > Rainer
> > >
> > > >
> > > > James
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com
> > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > Sorry...all of my time has been taken by that journald
proposal. I
> > > > hope to
> > > > > resume regular work next week...
> > > > >
> > > > > rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > To: lognorm at lists.adiscon.com
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > Any movement on this?  I am unable to move forward with rule
> > > > creation for
> > > > > > one of my devices until this is ironed out.  Thank you.
> > > > > >
> > > > > >
> > > > > >
> > > > > > James
> > > > > >
> > > > > >
> > > > > >
> > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > To: lognorm at lists.adiscon.com
> > > > > > Subject: [Lognorm] Question on special characters
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hey all!
> > > > > >
> > > > > >
> > > > > >
> > > > > > So...I think I'm getting down to the bottom of something
that
> > I've
> > > > had an
> > > > > > issue with.  Here's some tests:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > >
> > > > > > Test one)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Rulebase file blick-rulebase:
> > > > > >
> > > > > > prefix=
> > > > > >
> > > > > > rule=: Test one)
> > > > > >
> > > > > >
> > > > > >
> > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > >
> > > > > > this works, and returns nothing, since no normalizing was
> > required
> > > > (as I
> > > > > > understand it).
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Now...if I make the below change to the blick-rulebase file:
> > > > > >
> > > > > >
> > > > > >
> > > > > > prefix=
> > > > > >
> > > > > > rule=: Test %-:word%)
> > > > > >
> > > > > >
> > > > > >
> > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > >
> > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > > >
> > > > > >
> > > > > >
> > > > > > Then it looks like something isn't working.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > If I remove the ")" in both blick.txt and blick-rulebase to
> > reflect:
> > > > > >
> > > > > > Test one
> > > > > >
> > > > > >
> > > > > >
> > > > > > prefix=
> > > > > >
> > > > > > rule=: Test %-:word%
> > > > > >
> > > > > >
> > > > > >
> > > > > > then it works:
> > > > > >
> > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > >
> > > > > > [cee at 115 -="one"]
> > > > > >
> > > > > >
> > > > > >
> > > > > > This seems to happen with matching %word% within
parenthesis.
> > Is
> > > > there
> > > > > > something I can do to check this on my end?  Thank you.
> > > > > >
> > > > > >
> > > > > >
> > > > > > James
> > > > >
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From rgerhards at hq.adiscon.com  Fri Dec  2 16:41:45 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 16:41:45 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 4:38 PM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> Thanks Rainer....tried with -vv and even -vvv...got the same info as below.
I'll
> move on to other devices and backtrack to this one later.

Maybe my fault and you need to add some options ;) Anyhow, I had a quick
look. I think (not 100% sure) %word% is defined a whitespace delimited
sequence. If so, "one)" is one word! There is a char-upto syntax where you
can say "evertything up to ")". This may help here. All from the back of my
head and unverified...

rainer
> 
> James
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Friday, December 02, 2011 8:34 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > I'll have a look soon, just wanted to add that -vv gives you even more
> info
> > (probably more than you ever want ;))
> > rainer
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Friday, December 02, 2011 4:30 PM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > LoL...36 seems a little beefy ;)  Ok...here's the -v output....very
> > interesting!
> > > Thanks again Rainer.
> > >
> > > liblognorm: read sample line: 'prefix='
> > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > liblognorm: sample line to add: ': Test %-:word%) '
> > >
> > > liblognorm: addSampToTree 0 of 16
> > > liblognorm: parsed literal: ' Test '
> > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > liblognorm: case 3.1
> > > liblognorm: addPTree: offs 0
> > > liblognorm: setPrefix lenBuf 6, offs 0
> > > liblognorm: addSampToTree 6 of 16
> > > liblognorm: parsed field: '-'
> > > liblognorm: got new subtree 0x8c157a0
> > > liblognorm: prev subtree 0x8c15030
> > > liblognorm: new subtree 0x8c157a0
> > > liblognorm: addSampToTree 14 of 16
> > > liblognorm: parsed literal: ') '
> > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > liblognorm: case 3.1
> > > liblognorm: addPTree: offs 0
> > > liblognorm: setPrefix lenBuf 2, offs 0
> > > liblognorm: end addSampToTree 16 of 16 number of tree nodes: 2 To
> > > normalize: ' Test one) '
> > > liblognorm: 0: prefix compare ' ', ' '
> > > liblognorm: 1: prefix compare 'T', 'T'
> > > liblognorm: 2: prefix compare 'e', 'e'
> > > liblognorm: 3: prefix compare 's', 's'
> > > liblognorm: 4: prefix compare 't', 't'
> > > liblognorm: 5: prefix compare ' ', ' '
> > > liblognorm: 6: prefix compare succeeded, still valid
> > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > liblognorm: potential hit, trying subtree
> > > liblognorm: 10: prefix compare ' ', ')'
> > > liblognorm: 10 returns 1
> > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > liblognorm: 6 returns 1
> > > liblognorm: final result for normalizer: left 1, endNode 0xbfc09dd0
> > > normalized: '[cee at 115 originalmsg=" Test one) " unparsed-data=" "]'
> > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > >
> > > James
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > Thanks Rainer....is there anything I can do on my end to
> > > troubleshoot or
> > > > > make things easier?
> > > >
> > > > Get me a 36 hr day ;-) Let me check on the original question,
> maybe I
> > > see it.
> > > > Did you try with liblognorm's normalizer tool in verbose (-v) mode
> -
> > > that is
> > > > often quite educating.
> > > >
> > > > Rainer
> > > >
> > > > >
> > > > > James
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > Sorry...all of my time has been taken by that journald
> proposal. I
> > > > > hope to
> > > > > > resume regular work next week...
> > > > > >
> > > > > > rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > Any movement on this?  I am unable to move forward with rule
> > > > > creation for
> > > > > > > one of my devices until this is ironed out.  Thank you.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > James
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Hey all!
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > So...I think I'm getting down to the bottom of something
> that
> > > I've
> > > > > had an
> > > > > > > issue with.  Here's some tests:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > >
> > > > > > > Test one)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Rulebase file blick-rulebase:
> > > > > > >
> > > > > > > prefix=
> > > > > > >
> > > > > > > rule=: Test one)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > >
> > > > > > > this works, and returns nothing, since no normalizing was
> > > required
> > > > > (as I
> > > > > > > understand it).
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Now...if I make the below change to the blick-rulebase file:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > prefix=
> > > > > > >
> > > > > > > rule=: Test %-:word%)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > >
> > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Then it looks like something isn't working.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > If I remove the ")" in both blick.txt and blick-rulebase to
> > > reflect:
> > > > > > >
> > > > > > > Test one
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > prefix=
> > > > > > >
> > > > > > > rule=: Test %-:word%
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > then it works:
> > > > > > >
> > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > >
> > > > > > > [cee at 115 -="one"]
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > This seems to happen with matching %word% within
> parenthesis.
> > > Is
> > > > > there
> > > > > > > something I can do to check this on my end?  Thank you.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > James
> > > > > >
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 16:43:25 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 08:43:25 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local>
	<9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E11@GOMAIL.go.winco.local>

Thanks Rainer...I'll look at the char-upto option and see what happens
:)

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, December 02, 2011 8:42 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Friday, December 02, 2011 4:38 PM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > Thanks Rainer....tried with -vv and even -vvv...got the same info as
below.
> I'll
> > move on to other devices and backtrack to this one later.
> 
> Maybe my fault and you need to add some options ;) Anyhow, I had a
quick
> look. I think (not 100% sure) %word% is defined a whitespace delimited
> sequence. If so, "one)" is one word! There is a char-upto syntax where
you
> can say "evertything up to ")". This may help here. All from the back
of my
> head and unverified...
> 
> rainer
> >
> > James
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > Sent: Friday, December 02, 2011 8:34 AM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > I'll have a look soon, just wanted to add that -vv gives you even
more
> > info
> > > (probably more than you ever want ;))
> > > rainer
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Friday, December 02, 2011 4:30 PM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > LoL...36 seems a little beefy ;)  Ok...here's the -v
output....very
> > > interesting!
> > > > Thanks again Rainer.
> > > >
> > > > liblognorm: read sample line: 'prefix='
> > > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > > liblognorm: sample line to add: ': Test %-:word%) '
> > > >
> > > > liblognorm: addSampToTree 0 of 16
> > > > liblognorm: parsed literal: ' Test '
> > > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > > liblognorm: case 3.1
> > > > liblognorm: addPTree: offs 0
> > > > liblognorm: setPrefix lenBuf 6, offs 0
> > > > liblognorm: addSampToTree 6 of 16
> > > > liblognorm: parsed field: '-'
> > > > liblognorm: got new subtree 0x8c157a0
> > > > liblognorm: prev subtree 0x8c15030
> > > > liblognorm: new subtree 0x8c157a0
> > > > liblognorm: addSampToTree 14 of 16
> > > > liblognorm: parsed literal: ') '
> > > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > > liblognorm: case 3.1
> > > > liblognorm: addPTree: offs 0
> > > > liblognorm: setPrefix lenBuf 2, offs 0
> > > > liblognorm: end addSampToTree 16 of 16 number of tree nodes: 2
To
> > > > normalize: ' Test one) '
> > > > liblognorm: 0: prefix compare ' ', ' '
> > > > liblognorm: 1: prefix compare 'T', 'T'
> > > > liblognorm: 2: prefix compare 'e', 'e'
> > > > liblognorm: 3: prefix compare 's', 's'
> > > > liblognorm: 4: prefix compare 't', 't'
> > > > liblognorm: 5: prefix compare ' ', ' '
> > > > liblognorm: 6: prefix compare succeeded, still valid
> > > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > > liblognorm: potential hit, trying subtree
> > > > liblognorm: 10: prefix compare ' ', ')'
> > > > liblognorm: 10 returns 1
> > > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > > liblognorm: 6 returns 1
> > > > liblognorm: final result for normalizer: left 1, endNode
0xbfc09dd0
> > > > normalized: '[cee at 115 originalmsg=" Test one) " unparsed-data="
"]'
> > > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > > >
> > > > James
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com
> > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > Thanks Rainer....is there anything I can do on my end to
> > > > troubleshoot or
> > > > > > make things easier?
> > > > >
> > > > > Get me a 36 hr day ;-) Let me check on the original question,
> > maybe I
> > > > see it.
> > > > > Did you try with liblognorm's normalizer tool in verbose (-v)
mode
> > -
> > > > that is
> > > > > often quite educating.
> > > > >
> > > > > Rainer
> > > > >
> > > > > >
> > > > > > James
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of
Rainer
> > > > Gerhards
> > > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > > To: lognorm
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > Sorry...all of my time has been taken by that journald
> > proposal. I
> > > > > > hope to
> > > > > > > resume regular work next week...
> > > > > > >
> > > > > > > rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > > Any movement on this?  I am unable to move forward with
rule
> > > > > > creation for
> > > > > > > > one of my devices until this is ironed out.  Thank you.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > James
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Hey all!
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > So...I think I'm getting down to the bottom of something
> > that
> > > > I've
> > > > > > had an
> > > > > > > > issue with.  Here's some tests:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > > >
> > > > > > > > Test one)
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Rulebase file blick-rulebase:
> > > > > > > >
> > > > > > > > prefix=
> > > > > > > >
> > > > > > > > rule=: Test one)
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > >
> > > > > > > > this works, and returns nothing, since no normalizing
was
> > > > required
> > > > > > (as I
> > > > > > > > understand it).
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Now...if I make the below change to the blick-rulebase
file:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > prefix=
> > > > > > > >
> > > > > > > > rule=: Test %-:word%)
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > >
> > > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Then it looks like something isn't working.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > If I remove the ")" in both blick.txt and blick-rulebase
to
> > > > reflect:
> > > > > > > >
> > > > > > > > Test one
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > prefix=
> > > > > > > >
> > > > > > > > rule=: Test %-:word%
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > then it works:
> > > > > > > >
> > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > >
> > > > > > > > [cee at 115 -="one"]
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > This seems to happen with matching %word% within
> > parenthesis.
> > > > Is
> > > > > > there
> > > > > > > > something I can do to check this on my end?  Thank you.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > James
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Lognorm mailing list
> > > > > > > Lognorm at lists.adiscon.com
> > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 16:45:47 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 08:45:47 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E11@GOMAIL.go.winco.local>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E12@GOMAIL.go.winco.local>

Ah for.....yea check this out:

liblognorm: read sample line: 'prefix='
liblognorm: read sample line: 'rule=: Test %-:word% '
liblognorm: sample line to add: ': Test %-:word% '

liblognorm: addSampToTree 0 of 15
liblognorm: parsed literal: ' Test '
liblognorm: buildPTree: begin at 0x8bcd030, offs 0
liblognorm: case 3.1
liblognorm: addPTree: offs 0
liblognorm: setPrefix lenBuf 6, offs 0
liblognorm: addSampToTree 6 of 15
liblognorm: parsed field: '-'
liblognorm: got new subtree 0x8bcd7a0
liblognorm: prev subtree 0x8bcd030
liblognorm: new subtree 0x8bcd7a0
liblognorm: addSampToTree 14 of 15
liblognorm: parsed literal: ' '
liblognorm: buildPTree: begin at 0x8bcd7a0, offs 0
liblognorm: case 3.1
liblognorm: addPTree: offs 0
liblognorm: setPrefix lenBuf 1, offs 0
liblognorm: end addSampToTree 15 of 15
number of tree nodes: 2
To normalize: ' Test one) '
liblognorm: 0: prefix compare ' ', ' '
liblognorm: 1: prefix compare 'T', 'T'
liblognorm: 2: prefix compare 'e', 'e'
liblognorm: 3: prefix compare 's', 's'
liblognorm: 4: prefix compare 't', 't'
liblognorm: 5: prefix compare ' ', ' '
liblognorm: 6: prefix compare succeeded, still valid
liblognorm: 6:trying parser for field '-': 0xb7795930
liblognorm: potential hit, trying subtree
liblognorm: 10: prefix compare ' ', ' '
liblognorm: 11: prefix compare succeeded, still valid
liblognorm: 11 returns 0
liblognorm: 6: parser matches at 10
liblognorm: 6 returns 0
liblognorm: final result for normalizer: left 0, endNode 0x8bcd7a0,
isTerminal 1, tagbucket (nil)
normalized: '[cee at 115 -="one)"]'
[cee at 115 -="one)"]

That's what it was..."one)" is viewed as one word!  Nice...thanks for
the assist Rainer.  Hope you get a break at some point in time.

James

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 8:43 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> Thanks Rainer...I'll look at the char-upto option and see what happens
> :)
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > Sent: Friday, December 02, 2011 8:42 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Friday, December 02, 2011 4:38 PM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > Thanks Rainer....tried with -vv and even -vvv...got the same info
as
> below.
> > I'll
> > > move on to other devices and backtrack to this one later.
> >
> > Maybe my fault and you need to add some options ;) Anyhow, I had a
> quick
> > look. I think (not 100% sure) %word% is defined a whitespace
delimited
> > sequence. If so, "one)" is one word! There is a char-upto syntax
where
> you
> > can say "evertything up to ")". This may help here. All from the
back
> of my
> > head and unverified...
> >
> > rainer
> > >
> > > James
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > Sent: Friday, December 02, 2011 8:34 AM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > I'll have a look soon, just wanted to add that -vv gives you
even
> more
> > > info
> > > > (probably more than you ever want ;))
> > > > rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > Sent: Friday, December 02, 2011 4:30 PM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > LoL...36 seems a little beefy ;)  Ok...here's the -v
> output....very
> > > > interesting!
> > > > > Thanks again Rainer.
> > > > >
> > > > > liblognorm: read sample line: 'prefix='
> > > > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > > > liblognorm: sample line to add: ': Test %-:word%) '
> > > > >
> > > > > liblognorm: addSampToTree 0 of 16
> > > > > liblognorm: parsed literal: ' Test '
> > > > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > > > liblognorm: case 3.1
> > > > > liblognorm: addPTree: offs 0
> > > > > liblognorm: setPrefix lenBuf 6, offs 0
> > > > > liblognorm: addSampToTree 6 of 16
> > > > > liblognorm: parsed field: '-'
> > > > > liblognorm: got new subtree 0x8c157a0
> > > > > liblognorm: prev subtree 0x8c15030
> > > > > liblognorm: new subtree 0x8c157a0
> > > > > liblognorm: addSampToTree 14 of 16
> > > > > liblognorm: parsed literal: ') '
> > > > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > > > liblognorm: case 3.1
> > > > > liblognorm: addPTree: offs 0
> > > > > liblognorm: setPrefix lenBuf 2, offs 0
> > > > > liblognorm: end addSampToTree 16 of 16 number of tree nodes: 2
> To
> > > > > normalize: ' Test one) '
> > > > > liblognorm: 0: prefix compare ' ', ' '
> > > > > liblognorm: 1: prefix compare 'T', 'T'
> > > > > liblognorm: 2: prefix compare 'e', 'e'
> > > > > liblognorm: 3: prefix compare 's', 's'
> > > > > liblognorm: 4: prefix compare 't', 't'
> > > > > liblognorm: 5: prefix compare ' ', ' '
> > > > > liblognorm: 6: prefix compare succeeded, still valid
> > > > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > > > liblognorm: potential hit, trying subtree
> > > > > liblognorm: 10: prefix compare ' ', ')'
> > > > > liblognorm: 10 returns 1
> > > > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > > > liblognorm: 6 returns 1
> > > > > liblognorm: final result for normalizer: left 1, endNode
> 0xbfc09dd0
> > > > > normalized: '[cee at 115 originalmsg=" Test one) "
unparsed-data="
> "]'
> > > > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > > > >
> > > > > James
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > > > To: lognorm
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > Thanks Rainer....is there anything I can do on my end to
> > > > > troubleshoot or
> > > > > > > make things easier?
> > > > > >
> > > > > > Get me a 36 hr day ;-) Let me check on the original
question,
> > > maybe I
> > > > > see it.
> > > > > > Did you try with liblognorm's normalizer tool in verbose
(-v)
> mode
> > > -
> > > > > that is
> > > > > > often quite educating.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > >
> > > > > > > James
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of
> Rainer
> > > > > Gerhards
> > > > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > > > To: lognorm
> > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > > Sorry...all of my time has been taken by that journald
> > > proposal. I
> > > > > > > hope to
> > > > > > > > resume regular work next week...
> > > > > > > >
> > > > > > > > rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-
> > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > >
> > > > > > > > > Any movement on this?  I am unable to move forward
with
> rule
> > > > > > > creation for
> > > > > > > > > one of my devices until this is ironed out.  Thank
you.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > James
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-
> > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hey all!
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > So...I think I'm getting down to the bottom of
something
> > > that
> > > > > I've
> > > > > > > had an
> > > > > > > > > issue with.  Here's some tests:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > > > >
> > > > > > > > > Test one)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Rulebase file blick-rulebase:
> > > > > > > > >
> > > > > > > > > prefix=
> > > > > > > > >
> > > > > > > > > rule=: Test one)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > >
> > > > > > > > > this works, and returns nothing, since no normalizing
> was
> > > > > required
> > > > > > > (as I
> > > > > > > > > understand it).
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Now...if I make the below change to the blick-rulebase
> file:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > prefix=
> > > > > > > > >
> > > > > > > > > rule=: Test %-:word%)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > >
> > > > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Then it looks like something isn't working.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > If I remove the ")" in both blick.txt and
blick-rulebase
> to
> > > > > reflect:
> > > > > > > > >
> > > > > > > > > Test one
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > prefix=
> > > > > > > > >
> > > > > > > > > rule=: Test %-:word%
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > then it works:
> > > > > > > > >
> > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > >
> > > > > > > > > [cee at 115 -="one"]
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > This seems to happen with matching %word% within
> > > parenthesis.
> > > > > Is
> > > > > > > there
> > > > > > > > > something I can do to check this on my end?  Thank
you.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > James
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Lognorm mailing list
> > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > _______________________________________________
> > > > > > > Lognorm mailing list
> > > > > > > Lognorm at lists.adiscon.com
> > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From rgerhards at hq.adiscon.com  Fri Dec  2 17:12:13 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 17:12:13 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E12@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E11@GOMAIL.go.winco.local>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E12@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728159E@GRFEXC.intern.adiscon.com>

> That's what it was..."one)" is viewed as one word!  Nice...thanks for the
> assist Rainer.  Hope you get a break at some point in time.

If it's not already there, an "alphaword" syntax probably makes sense. What
do you mean?
raienr

> 
> James
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Lay, James
> > Sent: Friday, December 02, 2011 8:43 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > Thanks Rainer...I'll look at the char-upto option and see what happens
> > :)
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > Sent: Friday, December 02, 2011 8:42 AM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Friday, December 02, 2011 4:38 PM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > Thanks Rainer....tried with -vv and even -vvv...got the same info
> as
> > below.
> > > I'll
> > > > move on to other devices and backtrack to this one later.
> > >
> > > Maybe my fault and you need to add some options ;) Anyhow, I had a
> > quick
> > > look. I think (not 100% sure) %word% is defined a whitespace
> delimited
> > > sequence. If so, "one)" is one word! There is a char-upto syntax
> where
> > you
> > > can say "evertything up to ")". This may help here. All from the
> back
> > of my
> > > head and unverified...
> > >
> > > rainer
> > > >
> > > > James
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com
> > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > Sent: Friday, December 02, 2011 8:34 AM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > I'll have a look soon, just wanted to add that -vv gives you
> even
> > more
> > > > info
> > > > > (probably more than you ever want ;)) rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > Sent: Friday, December 02, 2011 4:30 PM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > LoL...36 seems a little beefy ;)  Ok...here's the -v
> > output....very
> > > > > interesting!
> > > > > > Thanks again Rainer.
> > > > > >
> > > > > > liblognorm: read sample line: 'prefix='
> > > > > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > > > > liblognorm: sample line to add: ': Test %-:word%) '
> > > > > >
> > > > > > liblognorm: addSampToTree 0 of 16
> > > > > > liblognorm: parsed literal: ' Test '
> > > > > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > > > > liblognorm: case 3.1
> > > > > > liblognorm: addPTree: offs 0
> > > > > > liblognorm: setPrefix lenBuf 6, offs 0
> > > > > > liblognorm: addSampToTree 6 of 16
> > > > > > liblognorm: parsed field: '-'
> > > > > > liblognorm: got new subtree 0x8c157a0
> > > > > > liblognorm: prev subtree 0x8c15030
> > > > > > liblognorm: new subtree 0x8c157a0
> > > > > > liblognorm: addSampToTree 14 of 16
> > > > > > liblognorm: parsed literal: ') '
> > > > > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > > > > liblognorm: case 3.1
> > > > > > liblognorm: addPTree: offs 0
> > > > > > liblognorm: setPrefix lenBuf 2, offs 0
> > > > > > liblognorm: end addSampToTree 16 of 16 number of tree nodes: 2
> > To
> > > > > > normalize: ' Test one) '
> > > > > > liblognorm: 0: prefix compare ' ', ' '
> > > > > > liblognorm: 1: prefix compare 'T', 'T'
> > > > > > liblognorm: 2: prefix compare 'e', 'e'
> > > > > > liblognorm: 3: prefix compare 's', 's'
> > > > > > liblognorm: 4: prefix compare 't', 't'
> > > > > > liblognorm: 5: prefix compare ' ', ' '
> > > > > > liblognorm: 6: prefix compare succeeded, still valid
> > > > > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > > > > liblognorm: potential hit, trying subtree
> > > > > > liblognorm: 10: prefix compare ' ', ')'
> > > > > > liblognorm: 10 returns 1
> > > > > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > > > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > > > > liblognorm: 6 returns 1
> > > > > > liblognorm: final result for normalizer: left 1, endNode
> > 0xbfc09dd0
> > > > > > normalized: '[cee at 115 originalmsg=" Test one) "
> unparsed-data="
> > "]'
> > > > > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > > > > >
> > > > > > James
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > > Gerhards
> > > > > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > > > > To: lognorm
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > > > > To: lognorm
> > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > > Thanks Rainer....is there anything I can do on my end to
> > > > > > troubleshoot or
> > > > > > > > make things easier?
> > > > > > >
> > > > > > > Get me a 36 hr day ;-) Let me check on the original
> question,
> > > > maybe I
> > > > > > see it.
> > > > > > > Did you try with liblognorm's normalizer tool in verbose
> (-v)
> > mode
> > > > -
> > > > > > that is
> > > > > > > often quite educating.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > >
> > > > > > > > James
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of
> > Rainer
> > > > > > Gerhards
> > > > > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > > > > To: lognorm
> > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > >
> > > > > > > > > Sorry...all of my time has been taken by that journald
> > > > proposal. I
> > > > > > > > hope to
> > > > > > > > > resume regular work next week...
> > > > > > > > >
> > > > > > > > > rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-
> > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > > >
> > > > > > > > > > Any movement on this?  I am unable to move forward
> with
> > rule
> > > > > > > > creation for
> > > > > > > > > > one of my devices until this is ironed out.  Thank
> you.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > James
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-
> > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Hey all!
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > So...I think I'm getting down to the bottom of
> something
> > > > that
> > > > > > I've
> > > > > > > > had an
> > > > > > > > > > issue with.  Here's some tests:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > > > > >
> > > > > > > > > > Test one)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Rulebase file blick-rulebase:
> > > > > > > > > >
> > > > > > > > > > prefix=
> > > > > > > > > >
> > > > > > > > > > rule=: Test one)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > >
> > > > > > > > > > this works, and returns nothing, since no normalizing
> > was
> > > > > > required
> > > > > > > > (as I
> > > > > > > > > > understand it).
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Now...if I make the below change to the blick-rulebase
> > file:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > prefix=
> > > > > > > > > >
> > > > > > > > > > rule=: Test %-:word%)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > >
> > > > > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data=" "]
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Then it looks like something isn't working.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > If I remove the ")" in both blick.txt and
> blick-rulebase
> > to
> > > > > > reflect:
> > > > > > > > > >
> > > > > > > > > > Test one
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > prefix=
> > > > > > > > > >
> > > > > > > > > > rule=: Test %-:word%
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > then it works:
> > > > > > > > > >
> > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > >
> > > > > > > > > > [cee at 115 -="one"]
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > This seems to happen with matching %word% within
> > > > parenthesis.
> > > > > > Is
> > > > > > > > there
> > > > > > > > > > something I can do to check this on my end?  Thank
> you.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > James
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Lognorm mailing list
> > > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > _______________________________________________
> > > > > > > > Lognorm mailing list
> > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > _______________________________________________
> > > > > > > Lognorm mailing list
> > > > > > > Lognorm at lists.adiscon.com
> > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 18:20:35 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 10:20:35 -0700
Subject: [Lognorm] Question on special characters
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E11@GOMAIL.go.winco.local><360E0F1A6850C74D89B37C3A22C9DE1F07051E12@GOMAIL.go.winco.local>
	<9B6E2A8877C38245BFB15CC491A11DA728159E@GRFEXC.intern.adiscon.com>
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E15@GOMAIL.go.winco.local>

Just that I didn't understand that "one)" is equal to %-:word%....I
thought I'd need to match %-:word%)

Thanks again Rainer...I hope the weekend is good :)

James

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, December 02, 2011 9:12 AM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> > That's what it was..."one)" is viewed as one word!  Nice...thanks
for the
> > assist Rainer.  Hope you get a break at some point in time.
> 
> If it's not already there, an "alphaword" syntax probably makes sense.
What
> do you mean?
> raienr
> 
> >
> > James
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > Sent: Friday, December 02, 2011 8:43 AM
> > > To: lognorm
> > > Subject: Re: [Lognorm] Question on special characters
> > >
> > > Thanks Rainer...I'll look at the char-upto option and see what
happens
> > > :)
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > Sent: Friday, December 02, 2011 8:42 AM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > Sent: Friday, December 02, 2011 4:38 PM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > Thanks Rainer....tried with -vv and even -vvv...got the same
info
> > as
> > > below.
> > > > I'll
> > > > > move on to other devices and backtrack to this one later.
> > > >
> > > > Maybe my fault and you need to add some options ;) Anyhow, I had
a
> > > quick
> > > > look. I think (not 100% sure) %word% is defined a whitespace
> > delimited
> > > > sequence. If so, "one)" is one word! There is a char-upto syntax
> > where
> > > you
> > > > can say "evertything up to ")". This may help here. All from the
> > back
> > > of my
> > > > head and unverified...
> > > >
> > > > rainer
> > > > >
> > > > > James
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > > Sent: Friday, December 02, 2011 8:34 AM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > I'll have a look soon, just wanted to add that -vv gives you
> > even
> > > more
> > > > > info
> > > > > > (probably more than you ever want ;)) rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > Sent: Friday, December 02, 2011 4:30 PM
> > > > > > > To: lognorm
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > LoL...36 seems a little beefy ;)  Ok...here's the -v
> > > output....very
> > > > > > interesting!
> > > > > > > Thanks again Rainer.
> > > > > > >
> > > > > > > liblognorm: read sample line: 'prefix='
> > > > > > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > > > > > liblognorm: sample line to add: ': Test %-:word%) '
> > > > > > >
> > > > > > > liblognorm: addSampToTree 0 of 16
> > > > > > > liblognorm: parsed literal: ' Test '
> > > > > > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > > > > > liblognorm: case 3.1
> > > > > > > liblognorm: addPTree: offs 0
> > > > > > > liblognorm: setPrefix lenBuf 6, offs 0
> > > > > > > liblognorm: addSampToTree 6 of 16
> > > > > > > liblognorm: parsed field: '-'
> > > > > > > liblognorm: got new subtree 0x8c157a0
> > > > > > > liblognorm: prev subtree 0x8c15030
> > > > > > > liblognorm: new subtree 0x8c157a0
> > > > > > > liblognorm: addSampToTree 14 of 16
> > > > > > > liblognorm: parsed literal: ') '
> > > > > > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > > > > > liblognorm: case 3.1
> > > > > > > liblognorm: addPTree: offs 0
> > > > > > > liblognorm: setPrefix lenBuf 2, offs 0
> > > > > > > liblognorm: end addSampToTree 16 of 16 number of tree
nodes: 2
> > > To
> > > > > > > normalize: ' Test one) '
> > > > > > > liblognorm: 0: prefix compare ' ', ' '
> > > > > > > liblognorm: 1: prefix compare 'T', 'T'
> > > > > > > liblognorm: 2: prefix compare 'e', 'e'
> > > > > > > liblognorm: 3: prefix compare 's', 's'
> > > > > > > liblognorm: 4: prefix compare 't', 't'
> > > > > > > liblognorm: 5: prefix compare ' ', ' '
> > > > > > > liblognorm: 6: prefix compare succeeded, still valid
> > > > > > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > > > > > liblognorm: potential hit, trying subtree
> > > > > > > liblognorm: 10: prefix compare ' ', ')'
> > > > > > > liblognorm: 10 returns 1
> > > > > > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > > > > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > > > > > liblognorm: 6 returns 1
> > > > > > > liblognorm: final result for normalizer: left 1, endNode
> > > 0xbfc09dd0
> > > > > > > normalized: '[cee at 115 originalmsg=" Test one) "
> > unparsed-data="
> > > "]'
> > > > > > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > > > > > >
> > > > > > > James
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of
Rainer
> > > > > Gerhards
> > > > > > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > > > > > To: lognorm
> > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: lognorm-bounces at lists.adiscon.com
[mailto:lognorm-
> > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > > > > > To: lognorm
> > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > >
> > > > > > > > > Thanks Rainer....is there anything I can do on my end
to
> > > > > > > troubleshoot or
> > > > > > > > > make things easier?
> > > > > > > >
> > > > > > > > Get me a 36 hr day ;-) Let me check on the original
> > question,
> > > > > maybe I
> > > > > > > see it.
> > > > > > > > Did you try with liblognorm's normalizer tool in verbose
> > (-v)
> > > mode
> > > > > -
> > > > > > > that is
> > > > > > > > often quite educating.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > >
> > > > > > > > > James
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf
Of
> > > Rainer
> > > > > > > Gerhards
> > > > > > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > > > > > To: lognorm
> > > > > > > > > > Subject: Re: [Lognorm] Question on special
characters
> > > > > > > > > >
> > > > > > > > > > Sorry...all of my time has been taken by that
journald
> > > > > proposal. I
> > > > > > > > > hope to
> > > > > > > > > > resume regular work next week...
> > > > > > > > > >
> > > > > > > > > > rainer
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-
> > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > > Subject: Re: [Lognorm] Question on special
characters
> > > > > > > > > > >
> > > > > > > > > > > Any movement on this?  I am unable to move forward
> > with
> > > rule
> > > > > > > > > creation for
> > > > > > > > > > > one of my devices until this is ironed out.  Thank
> > you.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > James
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > [mailto:lognorm-
> > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Hey all!
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > So...I think I'm getting down to the bottom of
> > something
> > > > > that
> > > > > > > I've
> > > > > > > > > had an
> > > > > > > > > > > issue with.  Here's some tests:
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > > > > > >
> > > > > > > > > > > Test one)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Rulebase file blick-rulebase:
> > > > > > > > > > >
> > > > > > > > > > > prefix=
> > > > > > > > > > >
> > > > > > > > > > > rule=: Test one)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > >
> > > > > > > > > > > this works, and returns nothing, since no
normalizing
> > > was
> > > > > > > required
> > > > > > > > > (as I
> > > > > > > > > > > understand it).
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Now...if I make the below change to the
blick-rulebase
> > > file:
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > prefix=
> > > > > > > > > > >
> > > > > > > > > > > rule=: Test %-:word%)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > >
> > > > > > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data="
"]
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Then it looks like something isn't working.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > If I remove the ")" in both blick.txt and
> > blick-rulebase
> > > to
> > > > > > > reflect:
> > > > > > > > > > >
> > > > > > > > > > > Test one
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > prefix=
> > > > > > > > > > >
> > > > > > > > > > > rule=: Test %-:word%
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > then it works:
> > > > > > > > > > >
> > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > >
> > > > > > > > > > > [cee at 115 -="one"]
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > This seems to happen with matching %word% within
> > > > > parenthesis.
> > > > > > > Is
> > > > > > > > > there
> > > > > > > > > > > something I can do to check this on my end?  Thank
> > you.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > James
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Lognorm mailing list
> > > > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > > _______________________________________________
> > > > > > > > > Lognorm mailing list
> > > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > _______________________________________________
> > > > > > > > Lognorm mailing list
> > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > _______________________________________________
> > > > > > > Lognorm mailing list
> > > > > > > Lognorm at lists.adiscon.com
> > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From rgerhards at hq.adiscon.com  Fri Dec  2 18:25:54 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 2 Dec 2011 18:25:54 +0100
Subject: [Lognorm] Question on special characters
In-Reply-To: <360E0F1A6850C74D89B37C3A22C9DE1F07051E15@GOMAIL.go.winco.local>
References: <360E0F1A6850C74D89B37C3A22C9DE1F07051E0A@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281598@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0C@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA7281599@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0D@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159C@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E0E@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159D@GRFEXC.intern.adiscon.com><360E0F1A6850C74D89B37C3A22C9DE1F07051E11@GOMAIL.go.winco.local><360E0F1A6850C74D89B37C3A22C9DE1F07051E12@GOMAIL.go.winco.local><9B6E2A8877C38245BFB15CC491A11DA728159E@GRFEXC.intern.adiscon.com>
	<360E0F1A6850C74D89B37C3A22C9DE1F07051E15@GOMAIL.go.winco.local>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72815A0@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 6:21 PM
> To: lognorm
> Subject: Re: [Lognorm] Question on special characters
> 
> Just that I didn't understand that "one)" is equal to %-:word%....I thought
I'd
> need to match %-:word%)

That's actually the bad thing with very broad syntaxes, and why I like
specific parsers. The broad ones (word is) tend to fit in more situations as
one usually likes...

Have a great weekend, too!

rainer
> 
> Thanks again Rainer...I hope the weekend is good :)
> 
> James
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Friday, December 02, 2011 9:12 AM
> > To: lognorm
> > Subject: Re: [Lognorm] Question on special characters
> >
> > > That's what it was..."one)" is viewed as one word!  Nice...thanks
> for the
> > > assist Rainer.  Hope you get a break at some point in time.
> >
> > If it's not already there, an "alphaword" syntax probably makes sense.
> What
> > do you mean?
> > raienr
> >
> > >
> > > James
> > >
> > > > -----Original Message-----
> > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > Sent: Friday, December 02, 2011 8:43 AM
> > > > To: lognorm
> > > > Subject: Re: [Lognorm] Question on special characters
> > > >
> > > > Thanks Rainer...I'll look at the char-upto option and see what
> happens
> > > > :)
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com
> > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > Sent: Friday, December 02, 2011 8:42 AM
> > > > > To: lognorm
> > > > > Subject: Re: [Lognorm] Question on special characters
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > Sent: Friday, December 02, 2011 4:38 PM
> > > > > > To: lognorm
> > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > >
> > > > > > Thanks Rainer....tried with -vv and even -vvv...got the same
> info
> > > as
> > > > below.
> > > > > I'll
> > > > > > move on to other devices and backtrack to this one later.
> > > > >
> > > > > Maybe my fault and you need to add some options ;) Anyhow, I had
> a
> > > > quick
> > > > > look. I think (not 100% sure) %word% is defined a whitespace
> > > delimited
> > > > > sequence. If so, "one)" is one word! There is a char-upto syntax
> > > where
> > > > you
> > > > > can say "evertything up to ")". This may help here. All from the
> > > back
> > > > of my
> > > > > head and unverified...
> > > > >
> > > > > rainer
> > > > > >
> > > > > > James
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer
> > > > Gerhards
> > > > > > > Sent: Friday, December 02, 2011 8:34 AM
> > > > > > > To: lognorm
> > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > >
> > > > > > > I'll have a look soon, just wanted to add that -vv gives you
> > > even
> > > > more
> > > > > > info
> > > > > > > (probably more than you ever want ;)) rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > Sent: Friday, December 02, 2011 4:30 PM
> > > > > > > > To: lognorm
> > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > >
> > > > > > > > LoL...36 seems a little beefy ;)  Ok...here's the -v
> > > > output....very
> > > > > > > interesting!
> > > > > > > > Thanks again Rainer.
> > > > > > > >
> > > > > > > > liblognorm: read sample line: 'prefix='
> > > > > > > > liblognorm: read sample line: 'rule=: Test %-:word%) '
> > > > > > > > liblognorm: sample line to add: ': Test %-:word%) '
> > > > > > > >
> > > > > > > > liblognorm: addSampToTree 0 of 16
> > > > > > > > liblognorm: parsed literal: ' Test '
> > > > > > > > liblognorm: buildPTree: begin at 0x8c15030, offs 0
> > > > > > > > liblognorm: case 3.1
> > > > > > > > liblognorm: addPTree: offs 0
> > > > > > > > liblognorm: setPrefix lenBuf 6, offs 0
> > > > > > > > liblognorm: addSampToTree 6 of 16
> > > > > > > > liblognorm: parsed field: '-'
> > > > > > > > liblognorm: got new subtree 0x8c157a0
> > > > > > > > liblognorm: prev subtree 0x8c15030
> > > > > > > > liblognorm: new subtree 0x8c157a0
> > > > > > > > liblognorm: addSampToTree 14 of 16
> > > > > > > > liblognorm: parsed literal: ') '
> > > > > > > > liblognorm: buildPTree: begin at 0x8c157a0, offs 0
> > > > > > > > liblognorm: case 3.1
> > > > > > > > liblognorm: addPTree: offs 0
> > > > > > > > liblognorm: setPrefix lenBuf 2, offs 0
> > > > > > > > liblognorm: end addSampToTree 16 of 16 number of tree
> nodes: 2
> > > > To
> > > > > > > > normalize: ' Test one) '
> > > > > > > > liblognorm: 0: prefix compare ' ', ' '
> > > > > > > > liblognorm: 1: prefix compare 'T', 'T'
> > > > > > > > liblognorm: 2: prefix compare 'e', 'e'
> > > > > > > > liblognorm: 3: prefix compare 's', 's'
> > > > > > > > liblognorm: 4: prefix compare 't', 't'
> > > > > > > > liblognorm: 5: prefix compare ' ', ' '
> > > > > > > > liblognorm: 6: prefix compare succeeded, still valid
> > > > > > > > liblognorm: 6:trying parser for field '-': 0xb77c4930
> > > > > > > > liblognorm: potential hit, trying subtree
> > > > > > > > liblognorm: 10: prefix compare ' ', ')'
> > > > > > > > liblognorm: 10 returns 1
> > > > > > > > liblognorm: 6 nonmatch, backtracking required, left=1
> > > > > > > > liblognorm: 6 no field, trying subtree char 'o': (nil)
> > > > > > > > liblognorm: 6 returns 1
> > > > > > > > liblognorm: final result for normalizer: left 1, endNode
> > > > 0xbfc09dd0
> > > > > > > > normalized: '[cee at 115 originalmsg=" Test one) "
> > > unparsed-data="
> > > > "]'
> > > > > > > > [cee at 115 originalmsg=" Test one) " unparsed-data=" "]
> > > > > > > >
> > > > > > > > James
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of
> Rainer
> > > > > > Gerhards
> > > > > > > > > Sent: Friday, December 02, 2011 8:19 AM
> > > > > > > > > To: lognorm
> > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> [mailto:lognorm-
> > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > Sent: Friday, December 02, 2011 4:17 PM
> > > > > > > > > > To: lognorm
> > > > > > > > > > Subject: Re: [Lognorm] Question on special characters
> > > > > > > > > >
> > > > > > > > > > Thanks Rainer....is there anything I can do on my end
> to
> > > > > > > > troubleshoot or
> > > > > > > > > > make things easier?
> > > > > > > > >
> > > > > > > > > Get me a 36 hr day ;-) Let me check on the original
> > > question,
> > > > > > maybe I
> > > > > > > > see it.
> > > > > > > > > Did you try with liblognorm's normalizer tool in verbose
> > > (-v)
> > > > mode
> > > > > > -
> > > > > > > > that is
> > > > > > > > > often quite educating.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > James
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > > > > > > > > [mailto:lognorm-bounces at lists.adiscon.com] On Behalf
> Of
> > > > Rainer
> > > > > > > > Gerhards
> > > > > > > > > > > Sent: Friday, December 02, 2011 7:54 AM
> > > > > > > > > > > To: lognorm
> > > > > > > > > > > Subject: Re: [Lognorm] Question on special
> characters
> > > > > > > > > > >
> > > > > > > > > > > Sorry...all of my time has been taken by that
> journald
> > > > > > proposal. I
> > > > > > > > > > hope to
> > > > > > > > > > > resume regular work next week...
> > > > > > > > > > >
> > > > > > > > > > > rainer
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-
> > > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > > > Sent: Friday, December 02, 2011 3:52 PM
> > > > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > > > Subject: Re: [Lognorm] Question on special
> characters
> > > > > > > > > > > >
> > > > > > > > > > > > Any movement on this?  I am unable to move forward
> > > with
> > > > rule
> > > > > > > > > > creation for
> > > > > > > > > > > > one of my devices until this is ironed out.  Thank
> > > you.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > James
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > From: lognorm-bounces at lists.adiscon.com
> > > [mailto:lognorm-
> > > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Lay, James
> > > > > > > > > > > > Sent: Thursday, November 24, 2011 11:32 AM
> > > > > > > > > > > > To: lognorm at lists.adiscon.com
> > > > > > > > > > > > Subject: [Lognorm] Question on special characters
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Hey all!
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > So...I think I'm getting down to the bottom of
> > > something
> > > > > > that
> > > > > > > > I've
> > > > > > > > > > had an
> > > > > > > > > > > > issue with.  Here's some tests:
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Log contents to pass to normalizer, blick.txt:
> > > > > > > > > > > >
> > > > > > > > > > > > Test one)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Rulebase file blick-rulebase:
> > > > > > > > > > > >
> > > > > > > > > > > > prefix=
> > > > > > > > > > > >
> > > > > > > > > > > > rule=: Test one)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > > >
> > > > > > > > > > > > this works, and returns nothing, since no
> normalizing
> > > > was
> > > > > > > > required
> > > > > > > > > > (as I
> > > > > > > > > > > > understand it).
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Now...if I make the below change to the
> blick-rulebase
> > > > file:
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > prefix=
> > > > > > > > > > > >
> > > > > > > > > > > > rule=: Test %-:word%)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > > >
> > > > > > > > > > > > [cee at 115 originalmsg=" Test one)" unparsed-data="
> "]
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Then it looks like something isn't working.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > If I remove the ")" in both blick.txt and
> > > blick-rulebase
> > > > to
> > > > > > > > reflect:
> > > > > > > > > > > >
> > > > > > > > > > > > Test one
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > prefix=
> > > > > > > > > > > >
> > > > > > > > > > > > rule=: Test %-:word%
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > then it works:
> > > > > > > > > > > >
> > > > > > > > > > > > normalizer -r blick-rulebase < blick.txt
> > > > > > > > > > > >
> > > > > > > > > > > > [cee at 115 -="one"]
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > This seems to happen with matching %word% within
> > > > > > parenthesis.
> > > > > > > > Is
> > > > > > > > > > there
> > > > > > > > > > > > something I can do to check this on my end?  Thank
> > > you.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > James
> > > > > > > > > > >
> > > > > > > > > > >
> _______________________________________________
> > > > > > > > > > > Lognorm mailing list Lognorm at lists.adiscon.com
> > > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > > >
> _______________________________________________
> > > > > > > > > > Lognorm mailing list
> > > > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > > _______________________________________________
> > > > > > > > > Lognorm mailing list
> > > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > > _______________________________________________
> > > > > > > > Lognorm mailing list
> > > > > > > > Lognorm at lists.adiscon.com
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > > _______________________________________________
> > > > > > > Lognorm mailing list
> > > > > > > Lognorm at lists.adiscon.com
> > > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > > _______________________________________________
> > > > > > Lognorm mailing list
> > > > > > Lognorm at lists.adiscon.com
> > > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > > _______________________________________________
> > > > > Lognorm mailing list
> > > > > Lognorm at lists.adiscon.com
> > > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > > _______________________________________________
> > > Lognorm mailing list
> > > Lognorm at lists.adiscon.com
> > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From james.lay at wincofoods.com  Fri Dec  2 19:08:29 2011
From: james.lay at wincofoods.com (Lay, James)
Date: Fri, 2 Dec 2011 11:08:29 -0700
Subject: [Lognorm] Shuffling spaces
Message-ID: <360E0F1A6850C74D89B37C3A22C9DE1F07051E16@GOMAIL.go.winco.local>

Hey all!

So...I get to deal with annoying variances in some log entries...example
snips below:

pri=1 rule=2 proto=10264/tcp
pri=1 rule=2  proto=https

pri=1 proto=47  src=

The subtle spaces are interesting to deal with as I have to have, for
the first 2, separate rulebase rules like:

%-:word% %-:word% %-:word%
%-:word% %-:word%  %-:word%

Is there some functionality within lognorm to...I'm not sure how to
ask..."ignore" spaces?  An example below:


Rulebase:

prefix=
rule= %-:word% %-:word%


log file:

test test
test                          test



Just trying to minimize having to make many rules to match small
changes.  Thanks all!

James

From rgerhards at hq.adiscon.com  Sat Dec  3 18:50:50 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Sat, 3 Dec 2011 18:50:50 +0100
Subject: [Lognorm] Shuffling spaces
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72815AA@GRFEXC.intern.adiscon.com>



> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 7:08 PM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] Shuffling spaces
> 
> Hey all!
> 
> So...I get to deal with annoying variances in some log entries...example
snips
> below:
> 
> pri=1 rule=2 proto=10264/tcp
> pri=1 rule=2  proto=https
> 
> pri=1 proto=47  src=
> 
> The subtle spaces are interesting to deal with as I have to have, for the
first 2,
> separate rulebase rules like:
> 
> %-:word% %-:word% %-:word%
> %-:word% %-:word%  %-:word%
> 
> Is there some functionality within lognorm to...I'm not sure how to
> ask..."ignore" spaces?  An example below:

No, that would cause backtracking again :( ... but I could add a syntax
"spaces" which would somewhat resolve that problem. However, this looks like
something the new name-value pair syntax can do. Can't it?

Rainer
> 
> 
> Rulebase:
> 
> prefix=
> rule= %-:word% %-:word%
> 
> 
> log file:
> 
> test test
> test                          test
> 
> 
> 
> Just trying to minimize having to make many rules to match small changes.
> Thanks all!
> 
> James
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From jlay at slave-tothe-box.net  Sat Dec  3 19:07:04 2011
From: jlay at slave-tothe-box.net (James Lay)
Date: Sat, 03 Dec 2011 11:07:04 -0700
Subject: [Lognorm] Shuffling spaces
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72815AA@GRFEXC.intern.adiscon.com>
Message-ID: <CAFFB329.ECD3%jlay@slave-tothe-box.net>

Hey Rainer....can you refresh my memory on the new name-value pair usage?
I'll give that a go and see what the results are...thanks so much.

James

On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com> wrote:

>
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of Lay, James
>> Sent: Friday, December 02, 2011 7:08 PM
>> To: lognorm at lists.adiscon.com
>> Subject: [Lognorm] Shuffling spaces
>> 
>> Hey all!
>> 
>> So...I get to deal with annoying variances in some log entries...example
>snips
>> below:
>> 
>> pri=1 rule=2 proto=10264/tcp
>> pri=1 rule=2  proto=https
>> 
>> pri=1 proto=47  src=
>> 
>> The subtle spaces are interesting to deal with as I have to have, for
>>the
>first 2,
>> separate rulebase rules like:
>> 
>> %-:word% %-:word% %-:word%
>> %-:word% %-:word%  %-:word%
>> 
>> Is there some functionality within lognorm to...I'm not sure how to
>> ask..."ignore" spaces?  An example below:
>
>No, that would cause backtracking again :( ... but I could add a syntax
>"spaces" which would somewhat resolve that problem. However, this looks
>like
>something the new name-value pair syntax can do. Can't it?
>
>Rainer
>> 
>> 
>> Rulebase:
>> 
>> prefix=
>> rule= %-:word% %-:word%
>> 
>> 
>> log file:
>> 
>> test test
>> test                          test
>> 
>> 
>> 
>> Just trying to minimize having to make many rules to match small
>>changes.
>> Thanks all!
>> 
>> James
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
>_______________________________________________
>Lognorm mailing list
>Lognorm at lists.adiscon.com
>http://lists.adiscon.net/mailman/listinfo/lognorm



From rgerhards at hq.adiscon.com  Sat Dec  3 20:47:03 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Sat, 3 Dec 2011 20:47:03 +0100
Subject: [Lognorm] Shuffling spaces
In-Reply-To: <CAFFB329.ECD3%jlay@slave-tothe-box.net>
References: <9B6E2A8877C38245BFB15CC491A11DA72815AA@GRFEXC.intern.adiscon.com>
	<CAFFB329.ECD3%jlay@slave-tothe-box.net>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72815AB@GRFEXC.intern.adiscon.com>

It currently is named the "iptables" parser, but should handle general nv
pairs well. From the release announcement:

- special handling for iptables log via %iptables% parser added 
  (currently experimental pending practical verification)

Note that when the journald topic settles I want to release much more of
lognorm. That effort rather unexpectedly came into my way and thrashed all my
plans ;)

Rainer

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of James Lay
> Sent: Saturday, December 03, 2011 7:07 PM
> To: lognorm
> Subject: Re: [Lognorm] Shuffling spaces
> 
> Hey Rainer....can you refresh my memory on the new name-value pair
> usage?
> I'll give that a go and see what the results are...thanks so much.
> 
> James
> 
> On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com>
> wrote:
> 
> >
> >
> >> -----Original Message-----
> >> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> >> bounces at lists.adiscon.com] On Behalf Of Lay, James
> >> Sent: Friday, December 02, 2011 7:08 PM
> >> To: lognorm at lists.adiscon.com
> >> Subject: [Lognorm] Shuffling spaces
> >>
> >> Hey all!
> >>
> >> So...I get to deal with annoying variances in some log
> entries...example
> >snips
> >> below:
> >>
> >> pri=1 rule=2 proto=10264/tcp
> >> pri=1 rule=2  proto=https
> >>
> >> pri=1 proto=47  src=
> >>
> >> The subtle spaces are interesting to deal with as I have to have,
> for
> >>the
> >first 2,
> >> separate rulebase rules like:
> >>
> >> %-:word% %-:word% %-:word%
> >> %-:word% %-:word%  %-:word%
> >>
> >> Is there some functionality within lognorm to...I'm not sure how to
> >> ask..."ignore" spaces?  An example below:
> >
> >No, that would cause backtracking again :( ... but I could add a
> syntax
> >"spaces" which would somewhat resolve that problem. However, this
> looks
> >like
> >something the new name-value pair syntax can do. Can't it?
> >
> >Rainer
> >>
> >>
> >> Rulebase:
> >>
> >> prefix=
> >> rule= %-:word% %-:word%
> >>
> >>
> >> log file:
> >>
> >> test test
> >> test                          test
> >>
> >>
> >>
> >> Just trying to minimize having to make many rules to match small
> >>changes.
> >> Thanks all!
> >>
> >> James
> >> _______________________________________________
> >> Lognorm mailing list
> >> Lognorm at lists.adiscon.com
> >> http://lists.adiscon.net/mailman/listinfo/lognorm
> >_______________________________________________
> >Lognorm mailing list
> >Lognorm at lists.adiscon.com
> >http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> 
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

From jlay at slave-tothe-box.net  Sat Dec  3 23:57:42 2011
From: jlay at slave-tothe-box.net (James Lay)
Date: Sat, 03 Dec 2011 15:57:42 -0700
Subject: [Lognorm] Shuffling spaces
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72815AB@GRFEXC.intern.adiscon.com>
Message-ID: <CAFFF75D.ED10%jlay@slave-tothe-box.net>

Excellent...I will give this a go this week and report my findings.
Thanks again Rainer.

James

On 12/3/11 12:47 PM, "Rainer Gerhards" <rgerhards at hq.adiscon.com> wrote:

>It currently is named the "iptables" parser, but should handle general nv
>pairs well. From the release announcement:
>
>- special handling for iptables log via %iptables% parser added
>  (currently experimental pending practical verification)
>
>Note that when the journald topic settles I want to release much more of
>lognorm. That effort rather unexpectedly came into my way and thrashed
>all my
>plans ;)
>
>Rainer
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of James Lay
>> Sent: Saturday, December 03, 2011 7:07 PM
>> To: lognorm
>> Subject: Re: [Lognorm] Shuffling spaces
>> 
>> Hey Rainer....can you refresh my memory on the new name-value pair
>> usage?
>> I'll give that a go and see what the results are...thanks so much.
>> 
>> James
>> 
>> On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com>
>> wrote:
>> 
>> >
>> >
>> >> -----Original Message-----
>> >> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> >> bounces at lists.adiscon.com] On Behalf Of Lay, James
>> >> Sent: Friday, December 02, 2011 7:08 PM
>> >> To: lognorm at lists.adiscon.com
>> >> Subject: [Lognorm] Shuffling spaces
>> >>
>> >> Hey all!
>> >>
>> >> So...I get to deal with annoying variances in some log
>> entries...example
>> >snips
>> >> below:
>> >>
>> >> pri=1 rule=2 proto=10264/tcp
>> >> pri=1 rule=2  proto=https
>> >>
>> >> pri=1 proto=47  src=
>> >>
>> >> The subtle spaces are interesting to deal with as I have to have,
>> for
>> >>the
>> >first 2,
>> >> separate rulebase rules like:
>> >>
>> >> %-:word% %-:word% %-:word%
>> >> %-:word% %-:word%  %-:word%
>> >>
>> >> Is there some functionality within lognorm to...I'm not sure how to
>> >> ask..."ignore" spaces?  An example below:
>> >
>> >No, that would cause backtracking again :( ... but I could add a
>> syntax
>> >"spaces" which would somewhat resolve that problem. However, this
>> looks
>> >like
>> >something the new name-value pair syntax can do. Can't it?
>> >
>> >Rainer
>> >>
>> >>
>> >> Rulebase:
>> >>
>> >> prefix=
>> >> rule= %-:word% %-:word%
>> >>
>> >>
>> >> log file:
>> >>
>> >> test test
>> >> test                          test
>> >>
>> >>
>> >>
>> >> Just trying to minimize having to make many rules to match small
>> >>changes.
>> >> Thanks all!
>> >>
>> >> James
>> >> _______________________________________________
>> >> Lognorm mailing list
>> >> Lognorm at lists.adiscon.com
>> >> http://lists.adiscon.net/mailman/listinfo/lognorm
>> >_______________________________________________
>> >Lognorm mailing list
>> >Lognorm at lists.adiscon.com
>> >http://lists.adiscon.net/mailman/listinfo/lognorm
>> 
>> 
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
>_______________________________________________
>Lognorm mailing list
>Lognorm at lists.adiscon.com
>http://lists.adiscon.net/mailman/listinfo/lognorm



From jlay at slave-tothe-box.net  Mon Dec  5 19:36:28 2011
From: jlay at slave-tothe-box.net (James Lay)
Date: Mon, 5 Dec 2011 11:36:28 -0700
Subject: [Lognorm] Shuffling spaces
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72815AB@GRFEXC.intern.adiscon.com>
References: <9B6E2A8877C38245BFB15CC491A11DA72815AA@GRFEXC.intern.adiscon.com>
	<CAFFB329.ECD3%jlay@slave-tothe-box.net>
	<9B6E2A8877C38245BFB15CC491A11DA72815AB@GRFEXC.intern.adiscon.com>
Message-ID: <1ac65a6da60084c517276ba92540273c.squirrel@127.0.0.1>

Hey Rainer!

Hope the weekend was not too busy for you.  So..I'm testing out the new
%iptables% stuff....and I'm just not sure where to really put it yet.  Do
you have any examples using %iptables%?  Thank you!

James

> It currently is named the "iptables" parser, but should handle general nv
> pairs well. From the release announcement:
>
> - special handling for iptables log via %iptables% parser added
>   (currently experimental pending practical verification)
>
> Note that when the journald topic settles I want to release much more of
> lognorm. That effort rather unexpectedly came into my way and thrashed all
> my
> plans ;)
>
> Rainer
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of James Lay
>> Sent: Saturday, December 03, 2011 7:07 PM
>> To: lognorm
>> Subject: Re: [Lognorm] Shuffling spaces
>>
>> Hey Rainer....can you refresh my memory on the new name-value pair
>> usage?
>> I'll give that a go and see what the results are...thanks so much.
>>
>> James
>>
>> On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com>
>> wrote:
>>
>> >
>> >
>> >> -----Original Message-----
>> >> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> >> bounces at lists.adiscon.com] On Behalf Of Lay, James
>> >> Sent: Friday, December 02, 2011 7:08 PM
>> >> To: lognorm at lists.adiscon.com
>> >> Subject: [Lognorm] Shuffling spaces
>> >>
>> >> Hey all!
>> >>
>> >> So...I get to deal with annoying variances in some log
>> entries...example
>> >snips
>> >> below:
>> >>
>> >> pri=1 rule=2 proto=10264/tcp
>> >> pri=1 rule=2  proto=https
>> >>
>> >> pri=1 proto=47  src=
>> >>
>> >> The subtle spaces are interesting to deal with as I have to have,
>> for
>> >>the
>> >first 2,
>> >> separate rulebase rules like:
>> >>
>> >> %-:word% %-:word% %-:word%
>> >> %-:word% %-:word%  %-:word%
>> >>
>> >> Is there some functionality within lognorm to...I'm not sure how to
>> >> ask..."ignore" spaces?  An example below:
>> >
>> >No, that would cause backtracking again :( ... but I could add a
>> syntax
>> >"spaces" which would somewhat resolve that problem. However, this
>> looks
>> >like
>> >something the new name-value pair syntax can do. Can't it?
>> >
>> >Rainer
>> >>
>> >>
>> >> Rulebase:
>> >>
>> >> prefix=
>> >> rule= %-:word% %-:word%
>> >>
>> >>
>> >> log file:
>> >>
>> >> test test
>> >> test                          test
>> >>
>> >>
>> >>
>> >> Just trying to minimize having to make many rules to match small
>> >>changes.
>> >> Thanks all!
>> >>
>> >> James
>> >> _______________________________________________
>> >> Lognorm mailing list
>> >> Lognorm at lists.adiscon.com
>> >> http://lists.adiscon.net/mailman/listinfo/lognorm
>> >_______________________________________________
>> >Lognorm mailing list
>> >Lognorm at lists.adiscon.com
>> >http://lists.adiscon.net/mailman/listinfo/lognorm
>>
>>
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>



From williams.joe at gmail.com  Tue Dec 13 00:03:57 2011
From: williams.joe at gmail.com (Joe Williams)
Date: Mon, 12 Dec 2011 15:03:57 -0800
Subject: [Lognorm] log line pattern matching
Message-ID: <F1CB443932854C36A277D862FE3DE5D9@gmail.com>

I have two rules like the following: 

rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v1 %success:word% "%id:char-to:\x22%" "%org:char-to:\x22%"

rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v2 %success:word% "%id:char-to:\x22%" "%email:char-to:\x22%" 

Note that the first one contains a literal "v1" and the last two fields are id and org and the second rule has the literal "v2" and id and email as the last two fields. The version number is the only way to determine which rule to use for any log line. Is it possible to base the rule off of the version literal but also have it in the json output that results from the rule?

Thanks.

-Joe


-- 
Name: Joseph A. Williams
Email: williams.joe at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111212/0051c124/attachment-0001.htm>

From williams.joe at gmail.com  Wed Dec 21 19:22:11 2011
From: williams.joe at gmail.com (Joe Williams)
Date: Wed, 21 Dec 2011 10:22:11 -0800
Subject: [Lognorm] log line pattern matching
In-Reply-To: <F1CB443932854C36A277D862FE3DE5D9@gmail.com>
References: <F1CB443932854C36A277D862FE3DE5D9@gmail.com>
Message-ID: <D30F5AA0F50240A3830FE8380486B9C7@gmail.com>

Is it possible to do this? 


-- 
Name: Joseph A. Williams
Email: williams.joe at gmail.com


On Monday, December 12, 2011 at 3:03 PM, Joe Williams wrote:

> I have two rules like the following: 
> 
> rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v1 %success:word% "%id:char-to:\x22%" "%org:char-to:\x22%"
> 
> rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v2 %success:word% "%id:char-to:\x22%" "%email:char-to:\x22%" 
> 
> Note that the first one contains a literal "v1" and the last two fields are id and org and the second rule has the literal "v2" and id and email as the last two fields. The version number is the only way to determine which rule to use for any log line. Is it possible to base the rule off of the version literal but also have it in the json output that results from the rule?
> 
> Thanks.
> 
> -Joe
> 
> 
> -- 
> Name: Joseph A. Williams
> Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111221/ab569979/attachment.htm>

From rgerhards at hq.adiscon.com  Wed Dec 21 20:42:13 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 21 Dec 2011 20:42:13 +0100
Subject: [Lognorm] log line pattern matching
Message-ID: <009f01ccc018$440d1608$100013ac@intern.adiscon.com>

I'd say yes, but i guess it doesn't work for you?

Rainer

Joe Williams <williams.joe at gmail.com> hat geschrieben:Is it possible to do this? 


-- 
Name: Joseph A. Williams
Email: williams.joe at gmail.com


On Monday, December 12, 2011 at 3:03 PM, Joe Williams wrote:

> I have two rules like the following: 
> 
> rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v1 %success:word% "%id:char-to:\x22%" "%org:char-to:\x22%"
> 
> rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v2 %success:word% "%id:char-to:\x22%" "%email:char-to:\x22%" 
> 
> Note that the first one contains a literal "v1" and the last two fields are id and org and the second rule has the literal "v2" and id and email as the last two fields. The version number is the only way to determine which rule to use for any log line. Is it possible to base the rule off of the version literal but also have it in the json output that results from the rule?
> 
> Thanks.
> 
> -Joe
> 
> 
> -- 
> Name: Joseph A. Williams
> Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> 


From williams.joe at gmail.com  Thu Dec 22 05:52:48 2011
From: williams.joe at gmail.com (Joe Williams)
Date: Wed, 21 Dec 2011 20:52:48 -0800
Subject: [Lognorm] log line pattern matching
In-Reply-To: <009f01ccc018$440d1608$100013ac@intern.adiscon.com>
References: <009f01ccc018$440d1608$100013ac@intern.adiscon.com>
Message-ID: <DC9ECB75F66D4DBFBFBC009B4EF85AFE@gmail.com>

It doesn't seem to but perhaps I'm not doing it right. Suggestions? Documentation? 

-Joe


-- 
Name: Joseph A. Williams
Email: williams.joe at gmail.com


On Wednesday, December 21, 2011 at 11:42 AM, Rainer Gerhards wrote:

> I'd say yes, but i guess it doesn't work for you?
> 
> Rainer
> 
> Joe Williams <williams.joe at gmail.com (mailto:williams.joe at gmail.com)> hat geschrieben:Is it possible to do this? 
> 
> 
> -- 
> Name: Joseph A. Williams
> Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> 
> 
> On Monday, December 12, 2011 at 3:03 PM, Joe Williams wrote:
> 
> > I have two rules like the following: 
> > 
> > rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v1 %success:word% "%id:char-to:\x22%" "%org:char-to:\x22%"
> > 
> > rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v2 %success:word% "%id:char-to:\x22%" "%email:char-to:\x22%" 
> > 
> > Note that the first one contains a literal "v1" and the last two fields are id and org and the second rule has the literal "v2" and id and email as the last two fields. The version number is the only way to determine which rule to use for any log line. Is it possible to base the rule off of the version literal but also have it in the json output that results from the rule?
> > 
> > Thanks.
> > 
> > -Joe
> > 
> > 
> > -- 
> > Name: Joseph A. Williams
> > Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> > 
> 
> 
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com (mailto:Lognorm at lists.adiscon.com)
> http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111221/3d3c5e99/attachment.htm>