Mailing List Archive

change to the new if ... then syntax, it lets you do complex expressions.

there is no reason to write any new filters using the old syntax. There was a
time when the old syntax was faster, but that went away many years ago.

David Lang

On Wed, 17 Feb 2021, ashutosh via rsyslog wrote:

> Date: Wed, 17 Feb 2021 15:29:44 -0700
> From: ashutosh via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: ashutosh <ashucould@gmail.com>
> Subject: Re: [rsyslog] rsyslog filters.
>
> Any help is appreciated.
>
> On Wed, Feb 17, 2021 at 3:17 PM ashutosh <ashucould@gmail.com> wrote:
>
>> Hi Team,
>>
>> I have one question related to rsyslog filters. I need to search two
>> keywords in my log file and send those to papertrail. Keywords are - ERROR:
>> & FATAL:
>>
>> I tried something like that, but it didn't work.
>>
>> :msg, contains, "ERROR:" or "FATAL:" @logs6.papertrailapp.com:10000
>>
>> Kindly advice.
>>
>> Thanks,
>>
>> --
>>
>> Regards,
>> Ashutosh Durugkar
>> Database Admin Oracle & PostgreSQL.
>>
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

if $msg contains "ERROR:" or $msg contains "FATAL:" then
@logs6.papertrailapp.com:10000

not sure if the syntax is 100% correct, but you get the idea.

HTH
Rainer

El mié, 17 feb 2021 a las 23:29, ashutosh via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Any help is appreciated.
>
> On Wed, Feb 17, 2021 at 3:17 PM ashutosh <ashucould@gmail.com> wrote:
>
> > Hi Team,
> >
> > I have one question related to rsyslog filters. I need to search two
> > keywords in my log file and send those to papertrail. Keywords are - ERROR:
> > & FATAL:
> >
> > I tried something like that, but it didn't work.
> >
> > :msg, contains, "ERROR:" or "FATAL:" @logs6.papertrailapp.com:10000
> >
> > Kindly advice.
> >
> > Thanks,
> >
> > --
> >
> > Regards,
> > Ashutosh Durugkar
> > Database Admin Oracle & PostgreSQL.
> >
>
>
> --
>
> Regards,
> Ashutosh Durugkar
> Database Admin Oracle & PostgreSQL.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

A "side question" - what would be better performance-wise?

A complex condition ($msg contains "A" or $msg contains "B") or regex
match (re_match($msg,"(A|B)")?

It seems intuitive that simple match, even done twice (A _or_ B) shoul
be faster than regexp matching but is it indeed?

On 18.02.2021 08:49, Rainer Gerhards via rsyslog wrote:
> if $msg contains "ERROR:" or $msg contains "FATAL:" then
> @logs6.papertrailapp.com:10000
>
> not sure if the syntax is 100% correct, but you get the idea.
>
> HTH
> Rainer
>
> El mié, 17 feb 2021 a las 23:29, ashutosh via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>> Any help is appreciated.
>>
>> On Wed, Feb 17, 2021 at 3:17 PM ashutosh <ashucould@gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> I have one question related to rsyslog filters. I need to search two
>>> keywords in my log file and send those to papertrail. Keywords are - ERROR:
>>> & FATAL:
>>>
>>> I tried something like that, but it didn't work.
>>>
>>> :msg, contains, "ERROR:" or "FATAL:" @logs6.papertrailapp.com:10000
>>>
>>> Kindly advice.
>>>
>>> Thanks,
>>>
>>> --
>>>
>>> Regards,
>>> Ashutosh Durugkar
>>> Database Admin Oracle & PostgreSQL.
>>>
>>
>> --
>>
>> Regards,
>> Ashutosh Durugkar
>> Database Admin Oracle & PostgreSQL.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

The regex is potentially many times slower. Avoid it (albeit the
simple regex you show may be not sooo bad).

Rainer

El jue, 18 feb 2021 a las 9:11, Mariusz Kruk via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> A "side question" - what would be better performance-wise?
>
> A complex condition ($msg contains "A" or $msg contains "B") or regex
> match (re_match($msg,"(A|B)")?
>
> It seems intuitive that simple match, even done twice (A _or_ B) shoul
> be faster than regexp matching but is it indeed?
>
> On 18.02.2021 08:49, Rainer Gerhards via rsyslog wrote:
> > if $msg contains "ERROR:" or $msg contains "FATAL:" then
> > @logs6.papertrailapp.com:10000
> >
> > not sure if the syntax is 100% correct, but you get the idea.
> >
> > HTH
> > Rainer
> >
> > El mié, 17 feb 2021 a las 23:29, ashutosh via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> >> Any help is appreciated.
> >>
> >> On Wed, Feb 17, 2021 at 3:17 PM ashutosh <ashucould@gmail.com> wrote:
> >>
> >>> Hi Team,
> >>>
> >>> I have one question related to rsyslog filters. I need to search two
> >>> keywords in my log file and send those to papertrail. Keywords are - ERROR:
> >>> & FATAL:
> >>>
> >>> I tried something like that, but it didn't work.
> >>>
> >>> :msg, contains, "ERROR:" or "FATAL:" @logs6.papertrailapp.com:10000
> >>>
> >>> Kindly advice.
> >>>
> >>> Thanks,
> >>>
> >>> --
> >>>
> >>> Regards,
> >>> Ashutosh Durugkar
> >>> Database Admin Oracle & PostgreSQL.
> >>>
> >>
> >> --
> >>
> >> Regards,
> >> Ashutosh Durugkar
> >> Database Admin Oracle & PostgreSQL.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

That pretty much confirms what I suspected :-)

Regexes tend to be "heavy" indeed.

Thank you!

On 18.02.2021 09:15, Rainer Gerhards wrote:

> The regex is potentially many times slower. Avoid it (albeit the
> simple regex you show may be not sooo bad).
>
> Rainer
>
> El jue, 18 feb 2021 a las 9:11, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>> A "side question" - what would be better performance-wise?
>>
>> A complex condition ($msg contains "A" or $msg contains "B") or regex
>> match (re_match($msg,"(A|B)")?
>>
>> It seems intuitive that simple match, even done twice (A _or_ B) shoul
>> be faster than regexp matching but is it indeed?
>>
>> On 18.02.2021 08:49, Rainer Gerhards via rsyslog wrote:
>>> if $msg contains "ERROR:" or $msg contains "FATAL:" then
>>> @logs6.papertrailapp.com:10000
>>>
>>> not sure if the syntax is 100% correct, but you get the idea.
>>>
>>> HTH
>>> Rainer
>>>
>>> El mié, 17 feb 2021 a las 23:29, ashutosh via rsyslog
>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>> Any help is appreciated.
>>>>
>>>> On Wed, Feb 17, 2021 at 3:17 PM ashutosh <ashucould@gmail.com> wrote:
>>>>
>>>>> Hi Team,
>>>>>
>>>>> I have one question related to rsyslog filters. I need to search two
>>>>> keywords in my log file and send those to papertrail. Keywords are - ERROR:
>>>>> & FATAL:
>>>>>
>>>>> I tried something like that, but it didn't work.
>>>>>
>>>>> :msg, contains, "ERROR:" or "FATAL:" @logs6.papertrailapp.com:10000
>>>>>
>>>>> Kindly advice.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --
>>>>>
>>>>> Regards,
>>>>> Ashutosh Durugkar
>>>>> Database Admin Oracle & PostgreSQL.
>>>>>
>>>> --
>>>>
>>>> Regards,
>>>> Ashutosh Durugkar
>>>> Database Admin Oracle & PostgreSQL.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.