Replace POSTFIX_TIME_UNIT with a named capture

Author: whyscream

postfix.grok

@@ -17,7 +17,6 @@ POSTFIX_STATUS_CODE_ENHANCED \d\.\d+\.\d+
 POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
 POSTFIX_PS_ACCESS_ACTION (DISCONNECT|DENYLISTED|BLACKLISTED|ALLOWLISTED|WHITELISTED|ALLOWLIST VETO|WHITELIST VETO|PASS NEW|PASS OLD)
 POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
-POSTFIX_TIME_UNIT %{NUMBER}[smhd]
 POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
 POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
 
@@ -88,7 +87,7 @@ POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOSTNAME
 POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT}
 
 # anvil patterns
-POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
+POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}/(?<postfix_anvil_conn_period>\d+[smhd]) for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 

test/anvil_0005.yaml

@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (smtpd:2604:8d00:0:1::3) at Oct 26 17:46:59"
+data: "statistics: max connection rate 1/5m for (smtpd:2604:8d00:0:1::3) at Oct 26 17:46:59"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 5m
     postfix_service: smtpd
     postfix_client_ip: 2604:8d00:0:1::3
     postfix_anvil_timestamp: Oct 26 17:46:59

test/anvil_0007.yaml

@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (127.0.0.1:2525:127.0.0.1) at Oct 26 18:13:50"
+data: "statistics: max connection rate 1/2h for (127.0.0.1:2525:127.0.0.1) at Oct 26 18:13:50"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 2h
     postfix_service: 127.0.0.1:2525
     postfix_client_ip: 127.0.0.1
     postfix_anvil_timestamp: Oct 26 18:13:50

test/anvil_0009.yaml

@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (smtp:unknown) at Sep 7 07:14:19"
+data: "statistics: max connection rate 1/7d for (smtp:unknown) at Sep 7 07:14:19"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 7d
     postfix_service: smtp
     postfix_client_ip_unknown: unknown
     postfix_anvil_timestamp: Sep 7 07:14:19