Rainer, thanks a lot for putting together the code and the documentation.
Really useful stuff.
I've compiled the master branch just now and took it for a spin. Here are
my conclusions:
- "submitted" counter feels right. Or maybe 1 or 2 messages off, but it
doesn't matter, really
- failed.http counter seems to only increment every time the connection to
ES fails. So not for every message, for every failure. For example, you
send 100 messages, they work, then you shut down ES, send another 100:
you'll have submitted=200, failed.http=1. It's useful to know how many
times ES went down, but it would also be useful to know how many messages
were lost
- failed.es counter doesn't seem to work. I mean, at least not for JSON
errors, which was the easiest way to poke it. I also tried a slightly
smarter hack of making ES think the message field is numeric, to cry a
NumberFormatException when it finds out it's a string. Sadly,
failed.esremained 0. Anyway, here's how I did that:
------------------------
# curl -XDELETE localhost:9200/system
# curl -XPUT localhost:9200/system
# curl -XPUT localhost:9200/system/events/_mapping -d '{
"events": {
"properties": {
"@message": {
"type": "long"
}
}
}
}'
------------------------
And my conf:
------------------------
module(load="/usr/local/lib64/rsyslog/imuxsock.so")
module(load="/usr/local/lib64/rsyslog/impstats.so"
interval="5"
log.syslog="off"
log.file="/var/log/stats")
module(load="/usr/local/lib64/rsyslog/omelasticsearch.so")
template(name="plain-syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@host\":\"")
property(name="hostname")
constant(value="\",\"@severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"@facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"@syslogtag\":\"")
property(name="syslogtag" format="json")
constant(value="\",\"@message\":\"") property(name="msg"
format="json")
constant(value="\"}") #comment this one to have a JSON parsing
failure
}
*.* action(type="omelasticsearch"
template="plain-syslog")
------------------------
Thanks and best regards,
Radu
2013/9/12 Rainer Gerhards <[email protected]>
> On Wed, Sep 11, 2013 at 3:16 PM, Radu Gheorghe <[email protected]
> >wrote:
>
> > 2013/9/11 Rainer Gerhards <[email protected]>
> >
> > > On Mon, Aug 26, 2013 at 4:58 PM, Radu Gheorghe <
> [email protected]
> > > >wrote:
> > >
> > > > OK, Rainer! Sounds like a plan :)
> > > >
> > > >
> > > yupp, like one that didn't work out ;) When 7.5.3 is out (hopefully
> > today),
> > > I'll try to do this as next thing... No need to hurry for you, but I
> want
> > > to get this done from my PoV before s/t else comes in between again ;)
> > >
> > >
> > Hehe, no problem :) I'm at this point where there's so much on my plate
> > that I need a bigger plate...
> >
>
> hehe, I know that feeling ;)
>
> I case you get a bigger one, I have now streamlined/fixed the counters. New
> doc is here:
>
> http://www.rsyslog.com/rsyslog-statistic-counter/
>
> You probably best use either the v7-stable or master git branches, as
> fiddeling the individual patches may go wrong ;)
>
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
