On Fri, 2 Dec 2016, Rainer Gerhards wrote:
This could be because the source came in with names already (json, cef,
name-value, etc), or because you need to take multiple fields in the log and
combine them.
if the liblognorm ruleset ammend=: line could assign variable contents, not
just constant strings, it would address 90% of the issues.
can you give an example of what you think? I ask because liblognorm
does not know rsyslog variables (it cannot, as it is not a rsyslog
thingy).
I'm just talking about referencing variables defined as a part of the rule that
was just run.
I've had cases where I parse two named items in a rule, but really will be
wanting to treat them as a single item later, so being able to say a=$b+' '+$c
would be very useful.
or cases where the log arrives as json and I really want to combine fields in
it, or rename them.
I saw this a lot with windows logs, they like to have date and time as separate
fields, or have names of fields that don't match up with the names used in other
log sources, so a simple ammend=:a=$b would help a lot.
There are cases where real logic/math is needed, and I think those are
inappropriate for such things, but there's a lot that can be done with simple
assignments that can contain variables.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
