[Lognorm] log line pattern matching

[Joe Williams]

It doesn't seem to but perhaps I'm not doing it right. Suggestions? Documentation? 

-Joe


-- 
Name: Joseph A. Williams
Email: williams.joe at gmail.com


On Wednesday, December 21, 2011 at 11:42 AM, Rainer Gerhards wrote:

> I'd say yes, but i guess it doesn't work for you?
> 
> Rainer
> 
> Joe Williams <williams.joe at gmail.com (mailto:williams.joe at gmail.com)> hat geschrieben:Is it possible to do this? 
> 
> 
> -- 
> Name: Joseph A. Williams
> Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> 
> 
> On Monday, December 12, 2011 at 3:03 PM, Joe Williams wrote:
> 
> > I have two rules like the following: 
> > 
> > rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v1 %success:word% "%id:char-to:\x22%" "%org:char-to:\x22%"
> > 
> > rule=:%date:date-rfc3164% %hostname:word% %process_name:char-to:\x5b%[%pid:char-to:\x5d\x3a%]: %endpoint:word% v2 %success:word% "%id:char-to:\x22%" "%email:char-to:\x22%" 
> > 
> > Note that the first one contains a literal "v1" and the last two fields are id and org and the second rule has the literal "v2" and id and email as the last two fields. The version number is the only way to determine which rule to use for any log line. Is it possible to base the rule off of the version literal but also have it in the json output that results from the rule?
> > 
> > Thanks.
> > 
> > -Joe
> > 
> > 
> > -- 
> > Name: Joseph A. Williams
> > Email: williams.joe at gmail.com (mailto:williams.joe at gmail.com)
> > 
> 
> 
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com (mailto:Lognorm at lists.adiscon.com)
> http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111221/3d3c5e99/attachment.htm>