I use redis for this. I have rsyslog incrementing various counters in redis depending on the message details using Brian's omhiredis plugin.
-- Gary F. On May 2, 2013, at 5:34 AM, Balamurugan Arumugam <[email protected]> wrote: > > > ----- Original Message ----- >> From: "Rainer Gerhards" <[email protected]> >> To: "rsyslog-users" <[email protected]> >> Sent: Thursday, May 2, 2013 5:35:49 PM >> Subject: Re: [rsyslog] counting messages in a rule >> >> On Thu, May 2, 2013 at 12:26 PM, Balamurugan Arumugam >> <[email protected]>wrote: >> >>> >>> >>> ----- Original Message ----- >>>> From: "Rainer Gerhards" <[email protected]> >>>> To: "rsyslog-users" <[email protected]> >>>> Sent: Thursday, May 2, 2013 3:22:51 PM >>>> Subject: Re: [rsyslog] counting messages in a rule >>>> >>>> On Thu, May 2, 2013 at 11:39 AM, Balamurugan Arumugam >>>> <[email protected]>wrote: >>>> >>>>> >>>>> Hello list, >>>>> >>>>> I would like to count and set for given app-name and syslogseverity. >>> For >>>>> example, >>>>> >>>>> count = 0 >>>>> if $app-name == 'gluster' and $syslogseverity-text == 'crit' then { >>>>> count = count + 1 >>>>> set $!usr!count = count >>>>> >>>> >>>> set $!usr!count = $!usr!count + 1; >>> >>> >>> It doesn't work as expected. >>> >>> I didn't pay close enough attention. You want to have a message counter. >> Therfore you need global variables. They are not available yet. I did not >> implement them as I was/am very curios if they are actually needed. What's >> the use case behind this request? >> > > I feel it will be very useful. My use case is, alert user by email,snmp etc > on basis of message count per severity/facility. For example, raise snmp > trap of every 10th critical messages, every 50th send mail to admin, on every > 100th alert manager and reset the count etc. > > Thanks, > Bala > > >> Thx, >> Rainer >> >>> >>> [2013-05-02T15:53:32.217691+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> [2013-05-02T15:53:32.217753+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> [2013-05-02T15:53:32.279690+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> [2013-05-02T15:53:32.279708+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> [2013-05-02T15:53:32.279822+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> [2013-05-02T15:53:32.279834+05:30] { "pid": 4188, "uid": 0, "gid": 0, >>> "appname": "gluster", "exe": "\/usr\/sbin\/gluster", "cmd": "gluster --xml >>> --mode=script volume info ", "usr": { "count": 1 } } >>> >>> Is this known issue in rsyslog-7.3.9 from fedora rawhide on fedora 18? >>> >>> Thanks, >>> Bala >>> >>> >>>> Rainer >>>> >>>>> } >>>>> >>>>> Could someone give me a pointer how I can achieve this? >>>>> >>>>> >>>>> Thanks in advance, >>>>> >>>>> Regards, >>>>> Bala >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>> LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
