Thx for the feedback. I know at least one cause. Will try to check tomorrow.
Rainer On Wed, Sep 18, 2013 at 7:45 PM, Radu Gheorghe <[email protected]>wrote: > Rainer, thanks a lot for putting together the code and the documentation. > Really useful stuff. > > I've compiled the master branch just now and took it for a spin. Here are > my conclusions: > - "submitted" counter feels right. Or maybe 1 or 2 messages off, but it > doesn't matter, really > - failed.http counter seems to only increment every time the connection to > ES fails. So not for every message, for every failure. For example, you > send 100 messages, they work, then you shut down ES, send another 100: > you'll have submitted=200, failed.http=1. It's useful to know how many > times ES went down, but it would also be useful to know how many messages > were lost > - failed.es counter doesn't seem to work. I mean, at least not for JSON > errors, which was the easiest way to poke it. I also tried a slightly > smarter hack of making ES think the message field is numeric, to cry a > NumberFormatException when it finds out it's a string. Sadly, > failed.esremained 0. Anyway, here's how I did that: > > ------------------------ > # curl -XDELETE localhost:9200/system > # curl -XPUT localhost:9200/system > # curl -XPUT localhost:9200/system/events/_mapping -d '{ > "events": { > "properties": { > "@message": { > "type": "long" > } > } > } > }' > ------------------------ > > And my conf: > ------------------------ > module(load="/usr/local/lib64/rsyslog/imuxsock.so") > module(load="/usr/local/lib64/rsyslog/impstats.so" > interval="5" > log.syslog="off" > log.file="/var/log/stats") > module(load="/usr/local/lib64/rsyslog/omelasticsearch.so") > > template(name="plain-syslog" > type="list") { > constant(value="{") > constant(value="\"@timestamp\":\"") > property(name="timereported" dateFormat="rfc3339") > constant(value="\",\"@host\":\"") > property(name="hostname") > constant(value="\",\"@severity\":\"") > property(name="syslogseverity-text") > constant(value="\",\"@facility\":\"") > property(name="syslogfacility-text") > constant(value="\",\"@syslogtag\":\"") > property(name="syslogtag" format="json") > constant(value="\",\"@message\":\"") property(name="msg" > format="json") > constant(value="\"}") #comment this one to have a JSON parsing > failure > } > *.* action(type="omelasticsearch" > template="plain-syslog") > ------------------------ > > Thanks and best regards, > Radu > > > 2013/9/12 Rainer Gerhards <[email protected]> > > > On Wed, Sep 11, 2013 at 3:16 PM, Radu Gheorghe <[email protected] > > >wrote: > > > > > 2013/9/11 Rainer Gerhards <[email protected]> > > > > > > > On Mon, Aug 26, 2013 at 4:58 PM, Radu Gheorghe < > > [email protected] > > > > >wrote: > > > > > > > > > OK, Rainer! Sounds like a plan :) > > > > > > > > > > > > > > yupp, like one that didn't work out ;) When 7.5.3 is out (hopefully > > > today), > > > > I'll try to do this as next thing... No need to hurry for you, but I > > want > > > > to get this done from my PoV before s/t else comes in between again > ;) > > > > > > > > > > > Hehe, no problem :) I'm at this point where there's so much on my plate > > > that I need a bigger plate... > > > > > > > hehe, I know that feeling ;) > > > > I case you get a bigger one, I have now streamlined/fixed the counters. > New > > doc is here: > > > > http://www.rsyslog.com/rsyslog-statistic-counter/ > > > > You probably best use either the v7-stable or master git branches, as > > fiddeling the individual patches may go wrong ;) > > > > Rainer > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
