On Tue, 18 Mar 2014, Radu Gheorghe wrote:
Hi list :)
I have a specific scenario that I don't know how to tackle: we're receiving
CEE-formatted logs that we parse with mmjsonparse. How can I use
mmnormalize to parse unstructured text that lives in one variable of the
JSON I get?
For example:
@cee: {"user": "test1", "group": "users", "message": "apples 3"}
And I'd like to get, in the end:
{"user": "test1", "group": "users", "product": "apples", "price": 3}
It sounds like this wound be doable if mmnormalize had a "template" option.
I would just feed it with the "message" field.
This is something I've been wanting to implement for a while, but I haven't had
the time.
for both mmnormalize and for mmjsonparse, it would be great if they could take
as their input a variable or template instead of defaulting to %msg%. Now that
there is the ability to assign the output of a template to a variable, this is
one step closer, but these modules would still need to have an option to look at
something different (and if someone goes to do this, please modify mmjsonparse
so that a string other than cee can be used)
But then, would the
resulting properties overwrite the others (user, group)? It shouldn't,
especially if I set "path" to "$!parsed_fields" or something like that, no?
It's worth double-checking :)
I'm pretty sure that they only add, but as you say it's worth double checking
Another, somehow related question, is whether there can be an equivalent of
$!all-json that would contain all variables (JSON + syslog properties).
This would simplify all the rsyslog+Elasticsearch tutorials out there by a
lot. And maybe other outputs that need JSON.
The problem is which version of the syslog properties do you want.
%pri%
%facility% %severity%
%facility-text% %severity-text%
%hostname%
%fromhost%
%fromhost-ip%
time in what format?
do you want %rawmsg%
etc
Now, all that being said, i'll point you at the string module capability which
lets a C function return the string (this is how the standard rsyslog templates
are implemented internally). I think that there are a couple rasonable
combinations of things to create, and if we created a 'standard format' for
people to use it would not only be faster, but much easier on users as well.
David Lang
Any thoughts/ideas? I'd appreciate any sort of feedback.
Best regards,
Radu
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
