summaryrefslogtreecommitdiffstats
path: root/source/configuration/nomatch.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
commitf7f20c3f5e0be02585741f5f54d198689ccd7866 (patch)
tree190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/configuration/nomatch.rst
parentInitial commit. (diff)
downloadrsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz
rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source/configuration/nomatch.rst47
1 files changed, 47 insertions, 0 deletions
diff --git a/source/configuration/nomatch.rst b/source/configuration/nomatch.rst
new file mode 100644
index 0000000..9cb84b7
--- /dev/null
+++ b/source/configuration/nomatch.rst
@@ -0,0 +1,47 @@
+Property Replacer nomatch mode
+------------------------------
+
+**The "nomatch-Mode" specifies which string the property replacer shall
+return if a regular expression did not find the search string.**.
+Traditionally, the string "\*\*NO MATCH\*\*" was returned, but many
+people complained this was almost never useful. Still, this mode is
+support as "**DFLT**\ " for legacy configurations.
+
+Three additional and potentially useful modes exist: in one (**BLANK**)
+a blank string is returned. This is probably useful for inserting values
+into databases where no value shall be inserted if the expression could
+not be found.
+
+A similar mode is "**ZERO**\ " where the string "0" is returned. This is
+suitable for numerical values. A use case may be that you record a
+traffic log based on firewall rules and the "bytes transmitted" counter
+is extracted via a regular expression. If no "bytes transmitted" counter
+is available in the current message, it is probably a good idea to
+return an empty string, which the database layer can turn into a zero.
+
+The other mode is "**FIELD**\ ", in which the complete field is
+returned. This may be useful in cases where absence of a match is
+considered a failure and the message that triggered it shall be logged.
+
+If in doubt, **it is highly suggested to use the** `rsyslog online regular
+expression checker and generator <http://www.rsyslog.com/tool-regex>`_
+**to see these options in action**. With that online tool, you can craft
+regular expressions based on samples and try out the different modes.
+
+Summary of nomatch Modes
+~~~~~~~~~~~~~~~~~~~~~~~~
+
++------------+-----------------------------------------------------------+
+| **Mode** | **Returned** |
++------------+-----------------------------------------------------------+
+| DFLT | "\*\*NO MATCH\*\*" |
++------------+-----------------------------------------------------------+
+| BLANK | "" (empty string) |
++------------+-----------------------------------------------------------+
+| ZERO | "0" |
++------------+-----------------------------------------------------------+
+| FIELD | full content of original field |
++------------+-----------------------------------------------------------+
+|   | `Interactive Tool <http://www.rsyslog.com/tool-regex>`_ |
++------------+-----------------------------------------------------------+
+