Value specifiers

Edit online

The mappings in a format specification assign values to attributes.

The mapping part of a format specification consists of the following types of value specifiers:

  • $i
  • String constant
  • PRINTF statement
$i

The i indicates the position of a subexpression in a format string. Each subexpression is numbered from 1 to the maximum number of subexpressions in the format string.

The value of a $i value specifier (also known as a variable, slot, or attribute) is the portion of the system log message that is matched by the corresponding subexpression.

In the following example, the log agent translates any log message from the UNIX syslog facility into a syslog event with values assigned to it:

REGEX REGenericSyslog 
^([A-Z][a-z]{2}) ([ 0-9][0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2})
 (.*?) (.*?): (.*)$
month   $1
date    $2
time    $3
host    $4
service $5
msg     $6
END

Each subexpression numbered from $1 to $6 matches an item in parentheses in the regular expression.

Therefore, the following syslog event:

Apr  6 10:03:20 jimmy syslogd 1.4.1: restart.

is assigned the following values:

month=Apr
date=6
time=10:03:20
host=jimmy
service=syslogd 1.4.1
msg=restart.

For example, in the syslog event, the 10:03:20 value matches the third item in parentheses in the regular expression, so the value is assigned to the $3 time value. Similarly, the jimmy value matches the fourth item in parentheses in the regular expression, so the value is assigned to the $4 host value.

string constant

The string constant declares that the value of the attribute is the specified string. If the attribute value is a single constant without any spaces, you specify it without surrounding double quotation marks (" ") as shown in the following example: 

severity WARNING

Otherwise, if there are spaces in the attribute value, double quotation marks must be used as shown in the following example: 

component "Web Server"
PRINTF statement

The PRINTF statement creates more complex attribute values from other attribute values. The PRINTF statement consists of the keyword PRINTF followed by a printf() C-style format string and one or more attribute names.

The format string supports only the %s component specifier. The values of the attributes that are used in the PRINTF statement must be derived from either a $i value specification or a constant string value specification (you cannot derive them from another PRINTF statement).

Use the value of the argument attributes to compose a new constant string according to the format string. This new constant string becomes the value of the attribute.

Based on the previous example where you defined the REGenericSyslog base class, and the service and msg slots, you can define an attribute called syslog_msg by using the PRINTF keyword. 

syslog_msg PRINTF("service %s reports %s", service, msg)
If the following log message is reported:
Apr  6 10:03:20 jimmy syslogd 1.4.1: restart.

a new constant string is composed that contains the attribute values from the format string:

syslog_msg="service syslogd 1.4.1 reports restart."