> On Aug 23, 2016, at 12:19 PM, Robert Dahlem <robert.dah...@gmx.net> wrote:
>
> my $instre = qr{(?x)
> \A # Absolute line start
> (?:\S+ \s+){3} # Timestamp, adjust for other time formats
> \S+ \s+ # Hostname
> (postfix(?:-\S+)?)/ # postfix instance
> };
>
> [...]
>
> I would like to have postfix and postfix_slow in one block, while
> postfix-sec and postfix_slow-sec in another block. Could someone help me
> modify this part of the regular expression:
>
> (postfix(?:-\S+)?)/ # postfix instance
>
> so that it spits out "postfix" and "postfix-sec" while deleting the
> "_slow" part? Much appreciated!
Untested:
my $instre = qr{(?x) # Ignore whitespace and comments
\A # Absolute line start
(?:\S+ \s+){3} # Timestamp, adjust for other time formats
\S+ \s+ # Hostname
(postfix(?:-\S*?)?) # Capture instance name with optional non-greedy
suffix
(?:_slow)? # Optional ignored "_slow" suffix
/ # '/' before the daemon program name
};
A more general approach may be to replace "_slow" with "/slow" and
ignore any additional / delimited components between the instance
name and the program name. That would require you to set a syslog_name
along the lines of postfix-sec/slow or postfix-sec/submission, ...
and the RE then becomes (untested):
my $instre = qr{(?x) # Ignore whitespace and comments
\A # Absolute line start
(?:\S+ \s+){3} # Timestamp, adjust for other time formats
\S+ \s+ # Hostname
(postfix(?:-[^/\s]+)?) # Capture instance name stopping before first '/'
(?:/\S+)* # Optional non-captured '/'-delimited qualifiers
/ # Final '/' before the daemon program name
};
--
Viktor.
