[Lognorm] Escape [ and ]

Wed Jun 10 08:15:42 CEST 2015

Glad I can help. I spent way too much time learning this stuff and I don't
get to use it often enough :)
On Tue, Jun 9, 2015 at 11:13 PM David Lang <david at lang.hm> wrote:

> On Wed, 10 Jun 2015, Фадеев Виталий Львович wrote:
>
> >
> > Hi!
> > I want to log all from apache. I use custom log in apache that looks
> like:
> >
> > [2015-06-09 18:27:07 197 NOVT] [192.168.1.67] [192.168.1.67]
> [192.168.1.254] [818] [/var/www/host/css/button.css] [192.168.1.67]
> [HTTP/1.1] [1] [-] [GET] [5064] [?v=0] [GET /css/button.css?v=0 HTTP/1.1]
> [-] [200] [200] [0] [/css/button.css] [hostname.domain] [hostname.domain]
> [+] [1540] [1138] [" http://hostname.domain/index.html "] ["Mozilla/5.0
> (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"]
> >
> > For example, i create test.log that contains:
> > [2015-06-09 16:47:34 830 NOVT]
> >
> > and test.rb:
> > rule=:[%date:date-iso% %time:time-24hr% %microsec:number%
> %timezone:char-to:]%
> >
> > If i try i get:
> > $ lognormalizer -r test.rb -e json  < test.log
> > { "originalmsg": "[2015-06-09 16:47:34 830 NOVT]", "unparsed-data": "]" }
> >
> > How to parse data between [ and ] ?
>
> you almost have it correct. The only thing that you are missing is that
> char-to
> doesn't 'consume' the matching character, so your rule would need to be:
>
> rule=:[%date:date-iso% %time:time-24hr% %microsec:number%
> %timezone:char-to:]%]
>
> David Lang
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20150610/108b51c4/attachment-0001.html>