well, than you could use CEE json format and extract a specific field. Or put it into the tag (if its small enough) and use field-based extraction. You can have a look at this presentation:
http://www.slideshare.net/rainergerhards1/rsyslog-log-normalization Starting at slide 19, it should give you some ideas. Rainer On Wed, Apr 2, 2014 at 2:23 PM, Oliver Bestwalter <[email protected]>wrote: > Hi Rainer, > > On 2 April 2014 11:50, Rainer Gerhards <[email protected]> wrote: > > > can you provide a sample of a message that you generate and tell us > where > > the to-be-filtered field is? > > > > > Not really - my question is this abstract because I simply don't know how > this would be possible in rsyslog and if it is possible at all ... As I > don't know how this should be done I try not to assume anything and only > try to tell you what I need. It does not even have to be a specific field > (my understanding of those are a bit fuzzy still anyway) but it could > filter for a message part in brackets or some similar marker. > > Example log messages with a brackets marker: > > <group_a> Message that will end up only in "group_a.log" > <group_a> Another Message for "group_a.log" > <group_b> Some interesting message for "group_b.log" > <group_c> Message for "group_c.log" > > These messages based on the matched name will then end up in the > corresponding log file. For the above example, the logfiles with their > contents would be: > > /var/log/group_logs/group_a.log > <group_a> Message that will end up only in "group_a.log" > <group_a> Another Message for "group_a.log" > > /var/log/group_logs/group_b.log > <group_b> Some interesting message for "group_b.log" > > /var/log/group_logs/group_c.log > <group_c> Message for "group_c.log" > > So it would work like a regex that saves the matched name in a group and > uses it as the name of the file. > > [If possible it would be nice to massage the contents to leave out the > <...> parts, but I guess that's a different question]. > > Sorry if that was a bit verbose ... hope that clarifies it. > > Cheers > Oliver > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
