If you already have things in JSON when you read them, use mmjsonparse to turn
things into variables, then change the variables around to be whatever you need
them to be.
You will then need to change the template that the es module uses to send the
data to use all these variables instead of just using $msg
Write the log out to a file using the format RSYSLOG_DebugFormat and you will
see what is in each variable.
David Lang
On Wed, 8 Oct 2014, Radu Gheorghe wrote:
If you're looking for a grok equivalent, have a look at mmnormalize:
http://www.rsyslog.com/doc/master/configuration/modules/mmnormalize.html
It's not as flexible as grok is by using regular expressions, but it should
be a lot faster. You would have to come up with your own patterns, though,
and you can look at the documentation for liblognorm (the library on which
mmnormalize is based) to get all the info about building patterns:
http://rsyslog.github.io/liblognorm/doc/_build/html/
Best regards,
Radu
--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/
On Wed, Oct 8, 2014 at 2:06 PM, SjirBagmeijer <[email protected]>
wrote:
I have everything shipped now without issues! Thank you again for all the
help provided so far.
I have one final question is there a way also to get the json file to be
split basically how you do in Logstash with grok so Kibana does show
everything on different fields?
Basically like i do here with logstash:
https://trash.ulyaoth.net/trash/png/logstash/geoip/logstashgeoip.png
So there is a "request" field, "status" field etc.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
