Consider the following log line:
2019-04-20 21:17:57,505341,+0000 [Web,279,10.0.0.100] c4da4857-63b1-11a9-a00a-b0521699037b TCP RX ...
I want to strip the timestamp 2019-04-20 21:17:57,505341,+0000 at the beginning before writing this log line with rsyslog.
I've leveraged the property replacer in a template using a regex to match everything after the timestamp as so:
template (name="mylog" type="string" string="%timereported% %syslogtag% %pri-text% %msg:R,ERE,1,BLANK:(\\[.*)--end%\n")
Notice the double \\ before the bracket [.
If I only use a single \ before the bracket rsyslog throws an error but works just fine with the double \\
I'm not very experienced with regex but my understanding is that a special character like the bracket [ requires a single \ to be escaped so that it can match the literal bracket in the log line. Why is it that a single \ doesn't work in rsyslog but double \\ does?
I'm using rsyslog v8.40.0 on Debian.
What am I missing?
Best Answer
You are right about the regex syntax, but you must remember you are providing it as a string constant, so you must also respect the rules for these which state that special characters (including backslash) are escaped with a backslash. The linked-to page has a link to an online tool to do the escaping for you.