Hi, I have the following log message, from which I want to extract ‘root’, ‘4403’ and everything past ‘cmd’. crond[2059]: USER root pid 4403 cmd docker exec -u 33 -t nextcloud-app-1-old php -f /var/www/html/cron.php
I’d like to do that with regex, but I don’t know how, since this gives me error
// extracting crond process, user and
rule "cron parser"
when
contains(to_string($message.hostname), "crond[", true)
then
regex(pattern: "USER (\w+) pid", value: to_string($message.message))
rule "batman"
when
has_field("message") and contains(to_string($message.message), "crond")
then
let something = regex("(user=\\s*(\\S+))", to_string($message.message));
set_field("username", "something");
end
rule "crond_parser"
when
has_field("message") and contains(to_string($message.message), "crond")
then
let m = regex("USER (\\w+) pid (\\d+) cmd (.+$)",to_string($message.message));
set_field("cron_user", m["0"]);
set_field("cron_pid", m["1"]);
set_field("cron_cmd", m["2"]);
end