2016-12-02 9:11 GMT+01:00 David Lang <da...@lang.hm>: > On Fri, 2 Dec 2016, Rainer Gerhards wrote: > >>> This could be because the source came in with names already (json, cef, >>> name-value, etc), or because you need to take multiple fields in the log >>> and >>> combine them. >>> >>> if the liblognorm ruleset ammend=: line could assign variable contents, >>> not >>> just constant strings, it would address 90% of the issues. >> >> >> can you give an example of what you think? I ask because liblognorm >> does not know rsyslog variables (it cannot, as it is not a rsyslog >> thingy). > > > I'm just talking about referencing variables defined as a part of the rule > that was just run. > > I've had cases where I parse two named items in a rule, but really will be > wanting to treat them as a single item later, so being able to say a=$b+' > '+$c would be very useful. > > or cases where the log arrives as json and I really want to combine fields > in it, or rename them. > > I saw this a lot with windows logs, they like to have date and time as > separate fields, or have names of fields that don't match up with the names > used in other log sources, so a simple ammend=:a=$b would help a lot. > > There are cases where real logic/math is needed, and I think those are > inappropriate for such things, but there's a lot that can be done with > simple assignments that can contain variables.
Nothing I can do immediately, but can you pls open an issue tracker with some explanation (copy&paste?) on liblognorm. I have planned time early next year to work on enhancements and this would fit in. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
