What is the correct syntax for rsyslog's re_match()?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:



if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop


I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.



The documentation is a bit vague:



re_match(expr, re)

returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.


How do I fix it (the filter, not the docs)?










share|improve this question







New contributor




U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    0
    down vote

    favorite












    I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:



    if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop


    I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.



    The documentation is a bit vague:



    re_match(expr, re)

    returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.


    How do I fix it (the filter, not the docs)?










    share|improve this question







    New contributor




    U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:



      if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop


      I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.



      The documentation is a bit vague:



      re_match(expr, re)

      returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.


      How do I fix it (the filter, not the docs)?










      share|improve this question







      New contributor




      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:



      if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop


      I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.



      The documentation is a bit vague:



      re_match(expr, re)

      returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.


      How do I fix it (the filter, not the docs)?







      regular-expression rsyslog filter






      share|improve this question







      New contributor




      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 15 hours ago









      U. Windl

      1291




      1291




      New contributor




      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.



          But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try



          '^Started [Ss]ession [0-9]+ of user ntpmon\.$'





          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            U. Windl is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f481282%2fwhat-is-the-correct-syntax-for-rsyslogs-re-match%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.



            But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try



            '^Started [Ss]ession [0-9]+ of user ntpmon\.$'





            share|improve this answer
























              up vote
              0
              down vote













              You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.



              But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try



              '^Started [Ss]ession [0-9]+ of user ntpmon\.$'





              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.



                But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try



                '^Started [Ss]ession [0-9]+ of user ntpmon\.$'





                share|improve this answer












                You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.



                But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try



                '^Started [Ss]ession [0-9]+ of user ntpmon\.$'






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 11 hours ago









                meuh

                31k11754




                31k11754




















                    U. Windl is a new contributor. Be nice, and check out our Code of Conduct.









                     

                    draft saved


                    draft discarded


















                    U. Windl is a new contributor. Be nice, and check out our Code of Conduct.












                    U. Windl is a new contributor. Be nice, and check out our Code of Conduct.











                    U. Windl is a new contributor. Be nice, and check out our Code of Conduct.













                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f481282%2fwhat-is-the-correct-syntax-for-rsyslogs-re-match%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?