2
responses

Hello, 

I'm trying to convert a date in NXlog from 06/15/16 to 2016-06-15 because NXlog is not able to parse the date (DEBUG couldn't parse date: 06/14/16).

I created a regular expression ($Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/;) in my module to convert the date. See the module below

 Exec if $raw_event =~ /^[0-9][0-9],/                        \
        {                                                        \
            ParseDHCP->parse_csv();                                 \
            if $raw_event =~ /^00/ $IDdef = "The log was started.";    \
            if $raw_event =~ /^01/ $IDdef = "The log was stopped.";    \
            if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space.";    \
            if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client.";    \
            if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client.";    \
            if $raw_event =~ /^12/ $IDdef = "A lease was released by a client.";    \
            if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network.";    \
            if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted.";    \
            if $raw_event =~ /^15/ $IDdef = "A lease was denied.";    \
            if $raw_event =~ /^16/ $IDdef = "A lease was deleted.";    \
            if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted.";    \
            if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted.";    \
            if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client.";    \
            if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client.";    \
            if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.";    \
            if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use.";    \
            if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began.";    \
            if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics.";    \
            if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server.";    \
            if $raw_event =~ /^31/ $IDdef = "DNS update failed.";    \
            if $raw_event =~ /^32/ $IDdef = "DNS update successful.";    \
            if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy.";    \
            if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded.";    \
            if $raw_event =~ /^35/ $IDdef = "DNS update request failed.";    \
            if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match.";    \
            if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information.";    \
            if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine";    \
            if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine";    \
            if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet";    \
            if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation";    \
            if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.";    \
            $host            =    hostname_fqdn();                \
            $Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/;   \
            $EventTime         =     parsedate($Date + " " + $Time);    \
            $SourceName     =     "DHCPEvents";                    \
            $Message         =     to_json();                        \
        }                                                        \
        else                                                    \
            drop();

However it returns 2016-06-15 17:37:29 INFO EventTime: 20$3-$2-$1

 

AskedJune 15, 2016 - 5:40pm

Answer (1)

It's not possible to use captured value references inside the regexp substitution so you'll need something like this:

if $Date =~ /(\d+)\/(\d+)\/(\d+)/ { $Date = '20' + $3 + '-' + $2 + '-' + $1; };

There is also strptime().

Comments (1)