> We're working on a new input module, to parse Cisco Netflow data. As > part of this, we parse out all the relevant pieces of information > (source IP, destination IP, etc.), and then recombine them into a > string, which then gets passed on. It seems very inefficient to parse > out individual pieces, recombine them into a string, and then re-parse > it out when we want to use it in a template. > > Is there a way for an input or message modification module to add > additional properties to each message? Would it be better to write a > liblognorm parser? Apart from mmnormalize, are there other modules that > do this that we could look at?
I am currently redesigning this capability, as part of the cee/lumberjack effort. I expect that much in this area improves in April. Right now, there is mmjsonparse, which probably gets you one idea of how to do it. If mmnormalize fits your needs, I suggest to use it, as the parser is optimized for semi-structured text. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
