I have xml style messages that can have thousands of <CUID>xxx</CUID> statements in them so I need to cut out from the middle of the message: from the first string of <CUID> to the last </CUID>. Is this possible?

AskedFebruary 27, 2015 - 10:36am

Comments (1)

Answers (2)

Yes, you can 'cut out' the string with a capturing regexp like this:

Exec if $Message =~ /\CUID\>(.*)\<\/CUID\>/ { $CUID = $1; }

Comments (4)

  • bigfoot's picture

    Thanks for the answer!

    just one more problem :)

    ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:80; couldn't parse statement at line 80, character 37 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; failed to compile regular expression '\CUID\>(.*)\<\', error at position 14: \ at end of pattern

    so the character 37 is the C after the '\/' so the '\' does not properly escape the '/' to me it seems?


  • bigfoot's picture

    BTW If I understand correctly then the

    Exec if $Message =~ /\CUID\>(.*)\<\/CUID\>/ { $CUID = $1; }

    just makes a new variable (or whats it called?) $CUID that I can use somehow but thats the part I dont need so what I need is to cut out, in other words drop the part of message that is between first (and/or including) <CUID> and last </CUID> so that


    would become


    or am I mistaken?

  • adm's picture

    If you need to remove parts of the string, you can use the regexp replacement operator like this:

    Exec $raw_event =~ s/\<CUID\>.+\<CUID\>//g;

    There is a bug in the syntax parser with \/ in 2.8.1248, will be fixed in the upcoming release.

  • bigfoot's picture

    I would imagine that I need something like this that would take the beginning and the end and then add them together dorpping the middle part <CUID.*\/CUID\>

    I now saw that in messages that I need trim after all the CUID's there is always the string <NumberOfInstances> so I can evade the /CUID and do it like this

    Exec if $Message =~ /\CUID\>(.*)\<NumberOfInstances\>/ { $CUID = $1; }

    but this does nothing to make my events smaller (I still get the 'Syslog_TLS output is over the limit of 65000, will be truncated' messages) so I would imagine that I need something that takes the first part before the <CUID> and the part after <NumberOfInstances and combines them as the new raw_event effectively dopping the part between <CUID and <NumberOfInstances>:

    Exec if $raw_event =~ /^(.*)\<CUID\>.*\<NumberOfInstances\>(.*)/    {$raw_event = $1$2;}

    but this does not work of course. I'm missing something here... can you please help me out here?

Just in case anybody reads this then the solution was this:

Exec         if $raw_event =~ /^(.+?)(\<CUID\>.*\<NumberOfInstances\>)(.+)/ $raw_event = $1 + ' <CUID>dropped</CUID><NumberOfInstances>' + $3;