On Mon, May 23, 2022 at 10:48:51PM -0600, Philip Prindeville wrote: > > > > On May 11, 2022, at 1:53 AM, Henrik K <h...@hege.li> wrote: > > > > On Wed, May 11, 2022 at 10:49:32AM +0300, Henrik K wrote: > >> On Wed, May 11, 2022 at 10:44:05AM +0300, Henrik K wrote: > >>> On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote: > >>>> See my original message. > >>>> > >>>> I can't think of a single way to match each header, and then test for > >>>> any of them not matching the pattern... > >>> > >>> Simply use regex negative lookahead. > >>> > >>> ALL =~ /^(?!Foo|Bar):/m > >>> > >>> It will hit any line _not_ starting with Foo: or Bar: > >> > >> Oops I think it was buggy.. more like: > >> > >> ALL =~ /^(?!(?:Foo|Bar):)/m > > > > And for debug logging to log the missing header (to easily inspect what was > > matched) you need some additional string matching, lookahead itself doesn't > > save any string > > > > ALL =~ /^(?!(?:Foo|Bar):)[^:]+/m > > > > > Ended up using .*$ instead of [^:]* but that worked too. > > Is it possible to count how many times we didn't see matching headers and > then count those, setting some threshold, like 3 or more unknown headers?
tflags multiple should work header UNKNOWN_HDR ALL ... tflags UNKNOWN_HDR multiple maxhits=3 meta UNKNOWN_HDR_TOOMANY UNKNOWN_HDR >= 3
