This sounds very much like something that is easier to achieve with the new rsyslog v6 message normalization functionality. You may want to have a look at the mmnormalize document as well as at www.liblognorm.com . We are also working on a tutorial on how to use it right now, will probably become available next week.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Sandeep Sukhija > Sent: Thursday, April 14, 2011 1:47 PM > To: [email protected] > Subject: [rsyslog] Need help in extracting and transforming the message > to some other format > > Hello, > > My rsyslog version is 5.6.5. I am working on parsing the string and > transforming the string to the database query. The setup and > integration of postgresql database module is working fine and has been > tested. > > > I wish to transform a string of sort say > "stagename=antivirus,tid=12345,status=success" and i have to create a > query of type "insert into rsyslog(stage,tid,status) > values('antivirus','12345','success')". > > > I achieved this by adding a template > > > $template tpl_rsyslog,"insert into rsyslog(stage,tid,status) > values('%msg:R,ERE,3,FIELD:(([[:space:]]*[a-z0-9]*)=([a-z0- > 9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0- > 9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+)[[:space:]]*)-- > end%','%msg:R,ERE,6,FIELD:(([[:space:]]*[a-z0-9]*)=([a-z0- > 9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0- > 9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+)[[:space:]]*)-- > end%','%msg:R,ERE,9,FIELD:(([[:space:]]*[a-z0-9]*)=([a-z0- > 9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0- > 9]*)=([a-z0-9]+),[[:space:]]*)(([a-z0-9]*)=([a-z0-9]+)[[:space:]]*)-- > end%')",SQL > > > which works fine in this case where, > > input : stagename=antivirus,tid=12345,status=success > > output : insert into syslog(stage,tid,status) > values('antivirus','12345','success') > > > but, the regular expression provides the support for getting only the > fields from range 0 to 9 in %msg:R,ERE,3,FIELD:<expression>%. If the > field is at the 12th position, i am unable to get that string. > > > Is there a workaround to get this thing done or i have missed > something? > > > Also i would like to know, whether we can pipe the output of 1 property > replacer to another? > > > Example, if that was possible, then i would have first used the field > separator to get the first token stagename=antivirus and then using the > regular expression or field separator again would have got the value of > the stagename. > > > Can u pls provide the suggestion regarding the method i am trying to > apply or a workaround to get this. > > > Thankyou, > > Sandeep Sukhija, > > Mithi Software Technologies Pvt. Ltd., Pune. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
