Thanks a lot, David! This clears it up for me.
On Wed, Mar 19, 2014 at 6:00 AM, David Lang <[email protected]> wrote: > On Tue, 18 Mar 2014, Radu Gheorghe wrote: > > Hi list :) >> >> I have a specific scenario that I don't know how to tackle: we're >> receiving >> CEE-formatted logs that we parse with mmjsonparse. How can I use >> mmnormalize to parse unstructured text that lives in one variable of the >> JSON I get? >> >> For example: >> @cee: {"user": "test1", "group": "users", "message": "apples 3"} >> >> And I'd like to get, in the end: >> {"user": "test1", "group": "users", "product": "apples", "price": 3} >> >> It sounds like this wound be doable if mmnormalize had a "template" >> option. >> I would just feed it with the "message" field. >> > > This is something I've been wanting to implement for a while, but I > haven't had the time. > > for both mmnormalize and for mmjsonparse, it would be great if they could > take as their input a variable or template instead of defaulting to %msg%. > Now that there is the ability to assign the output of a template to a > variable, this is one step closer, but these modules would still need to > have an option to look at something different (and if someone goes to do > this, please modify mmjsonparse so that a string other than cee can be used) > > > But then, would the >> resulting properties overwrite the others (user, group)? It shouldn't, >> especially if I set "path" to "$!parsed_fields" or something like that, >> no? >> It's worth double-checking :) >> > > I'm pretty sure that they only add, but as you say it's worth double > checking > > > Another, somehow related question, is whether there can be an equivalent >> of >> $!all-json that would contain all variables (JSON + syslog properties). >> This would simplify all the rsyslog+Elasticsearch tutorials out there by a >> lot. And maybe other outputs that need JSON. >> > > The problem is which version of the syslog properties do you want. > > %pri% > %facility% %severity% > %facility-text% %severity-text% > > %hostname% > %fromhost% > %fromhost-ip% > > time in what format? > do you want %rawmsg% > > etc > > Now, all that being said, i'll point you at the string module capability > which lets a C function return the string (this is how the standard rsyslog > templates are implemented internally). I think that there are a couple > rasonable combinations of things to create, and if we created a 'standard > format' for people to use it would not only be faster, but much easier on > users as well. > > David Lang > > > > Any thoughts/ideas? I'd appreciate any sort of feedback. >> >> Best regards, >> Radu >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
