-- Regards, Janmejay PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.
On Jan 27, 2015 11:47 PM, "Chris Schafer" <[email protected]> wrote: > > I don't like 'or' because that is exactly what multiple rules with same > prefix do. > > It's a little more verbose, but much more readable too. > > > What if we could tag the same tag on two things, and if the first fails the > second works? > > %tag1:quoted-string%%tag1:word% That would conflict with existing semantics of sample. May be it'll be useful to discuss what you want to achieve with such representations of sample. I mean if possible, take a few samples from your existing rulebase which you think highlight the problem(s) you are facing. > > On Tue Jan 27 2015 at 12:44:37 AM Rainer Gerhards < [email protected]> > wrote: > > > First of all, it's nice to see Chris patch and work. Much appreciated. I am > > still a bit on my CI-induced backlog, but hope to be able to finish that > > either today or tomorrow. Than at latest I can have a deeper look. Just a > > quick comment for now: > > > > 2015-01-27 7:56 GMT+01:00 singh.janmejay <[email protected]>: > > > > > Sorry, I missed the documentation patch somehow. Thanks for correcting. > > > > > > I don't like 'or' because that is exactly what multiple rules with same > > > prefix do. > > > > > > > > I agree, I don't like the idea as well. > > > > > > > It's a little more verbose, but much more readable too. > > > > > > I don't think introducing multiple ways of doing the same thing is a good > > > idea. > > > > > > > > > > Without the ability to go into more specifics at the moment, it very much > > looks like I will be able to concentrate much more on liblognorm for quite > > a bit in the coming monthm, as part of a research project. If so, I will > > probably also re-think the rule language and there may be smarter ways to > > handle it than we currently do. At least for now, I think we should not do > > the "or" part. > > > > Rainer > > > > -- > > > Regards, > > > Janmejay > > > > > > PS: Please blame the typos in this mail on my phone's uncivilized soft > > > keyboard sporting it's not-so-smart-assist technology. > > > > > > On Jan 27, 2015 11:43 AM, "Chris Schafer" <[email protected]> > > > wrote: > > > > > > > @Janmejay: > > > > I'll be honest - I <strike>don't</strike> didn't know if it'll handle > > > > escape sequences. I didn't test it earlier, just tested it now. Totally > > > > worked, woo! > > > > I did put in documentation - you can check the file. Actually included > > a > > > > little bugfix on existing documentation that kept it from compiling as > > > > well. > > > > I'm not against putting tests in at all, though I didn't because I > > didn't > > > > see any tests for the non-special functions, only regex and > > > tokenization. I > > > > can throw them in. What I did do is test this against a couple thousand > > > log > > > > lines that I actually needed to parse, just to make sure it worked. > > > > > > > > On Mon Jan 26 2015 at 10:01:21 PM Kendall Green < > > [email protected]> > > > > wrote: > > > > > > > > > I like the 'or' option, precisely for doing type check condition > > when a > > > > > whole lot of fields exists in records. This is currently cumbersome > > and > > > > > quickly becomes a daunting mess of a Cartesian Product set rule base > > > for > > > > > all the combination of fields that could have single values unquoted, > > > or > > > > > possibly quoted. Not to mention how this use case caries over to > > other > > > > > scenarios where an or operation would be invaluable to type casting. > > > > > > > > > > %<tag>:<type>:or:<type>% > > > > > could be very useful, not just to solve the issue of which behavior > > > > should > > > > > be default, as it would be set by the syntax. > > > > > > > > > > For example, if type quoted-string is set first, then should check > > > > without > > > > > quotes up to space. > > > > > Wouldn't the default be for what the type is, so with quoted-string, > > > then > > > > > it's quoted, unless an 'or' condition exists for an alternate > > expected > > > > data > > > > > type. > > > > > > > > > > With so very many fields in verbose messages, it is great to have a > > > > single > > > > > rule which would otherwise be an exponentially lengthy ruleset to > > > > > accommodate all the possible known type setting combinations. > > > > > %Description:quoted-string:or:word% > > > > > > > > > > An ''type:or:type" option could also be useful in other cases where > > > > > unpopulated fields exists with a default type value which doesn't > > match > > > > the > > > > > field when populated with specific typed value. > > > > > > > > > > %IP Address:ipv4:or:word% > > > > > The IP Address is provided, or a hyphen exists in the field when > > > > > unpopulated. In this scenario more specific literal matching would > > also > > > > be > > > > > nice option, which please correct me if literals already exists > > beyond > > > > > annotations. Having a char type match as char-sep somewhat resembles, > > > > where > > > > > field extraction only when the literal matches. The difference being > > > that > > > > > the literal would be matched for field value not just up to that > > > > position. > > > > > To give a more strict rule: > > > > > %IP Address:ipv4:or:char:\x2d% > > > > > > > > > > Similarly, it would be good to have string type, like described for > > the > > > > > purposed char type above, but for capturing the string literal > > instead > > > of > > > > > only the literal char. Rulebase could use string parse > > > > > enhancement with capture of literal string at specific field start > > > > > position within rulebase, since existing features could likely be > > used > > > > like > > > > > annotation fields. Additionally, please inform of any contributions > > for > > > > > the discussion regarding data type of fields to match string as a > > > > > string-to, as char-to / char-sep feature of char > > > > > separator on string, like the function, field($!path, > > string-or-char). > > > > So > > > > > please also elaborate on what has already been done for rulebase > > > matching > > > > > string literals. Thanks! > > > > > > > > > > -Kendall > > > > > > > > > > > > > > > > > > > > On Mon, Jan 26, 2015 at 5:49 PM, David Lang <[email protected]> wrote: > > > > > > > > > > > I don't like the "or" option as I think it makes the rules harder > > to > > > > > read. > > > > > > unless you are doing this on a lot of fields in a line, just make a > > > new > > > > > > line with the different type. > > > > > > > > > > > > We need feedback from others, but at the very least I think making > > > this > > > > > an > > > > > > option to the standard quoted-string type would be better than a > > new > > > > type > > > > > > (the question is if this should be enabled by default or disabled > > by > > > > > > default) > > > > > > > > > > > > > > > > > > David Lang > > > > > > > > > > > > On Tue, 27 Jan 2015, Chris Schafer wrote: > > > > > > > > > > > > It comes back as a full fail. I thought about modifying that, but > > I > > > > > didn't > > > > > >> want to wreck anything currently in place. > > > > > >> A coworker of mine had a great idea for an "or" ability, going > > > > > >> %tag:or:quoted-string:word% where i attempts the first, and if > > that > > > > > fails, > > > > > >> goes to the second. However, that's not going to be easy, and I > > > wanted > > > > > to > > > > > >> push this change before you guys got too many commits ahead. > > > > > >> > > > > > >> On Mon Jan 26 2015 at 4:43:02 PM David Lang <[email protected]> > > wrote: > > > > > >> > > > > > >> hmm, I'm wondering if we should do this for the normal quoted > > type? > > > > If > > > > > >>> you > > > > > >>> say > > > > > >>> quoted string and there isn't a quote does it just not match? > > > > > >>> > > > > > >>> David Lang > > > > > >>> > > > > > >>> On Tue, 27 Jan 2015, Chris Schafer wrote: > > > > > >>> > > > > > >>> This only handles " because that's what the current quoted > > string > > > > > does. > > > > > >>>> If it doesn't start with ", it implements the "word" > > functionality > > > > > >>>> > > > > > >>> (which I > > > > > >>> > > > > > >>>> shamelessly copied). The idea is to capture inputs where the > > > source > > > > > >>>> > > > > > >>> system > > > > > >>> > > > > > >>>> only quotes it if it contains a space, but leaves it unquoted > > > > > otherwise. > > > > > >>>> Example: > > > > > >>>> No data = - > > > > > >>>> One Word = word > > > > > >>>> Two words+ = "Two Words" > > > > > >>>> > > > > > >>>> The function should handle all three. > > > > > >>>> Chris > > > > > >>>> > > > > > >>>> On Mon Jan 26 2015 at 4:36:25 PM David Lang <[email protected]> > > > wrote: > > > > > >>>> > > > > > >>>> does this handle embedded quotes in the string? and do you > > handle > > > > > >>>>> > > > > > >>>> strings > > > > > >>> > > > > > >>>> starting with ' and " or just one of them? > > > > > >>>>> > > > > > >>>>> David Lang > > > > > >>>>> > > > > > >>>>> On Tue, 27 Jan 2015, Chris Schafer wrote: > > > > > >>>>> > > > > > >>>>> Date: Tue, 27 Jan 2015 00:30:54 +0000 > > > > > >>>>>> From: Chris Schafer <[email protected]> > > > > > >>>>>> Reply-To: rsyslog-users <[email protected]> > > > > > >>>>>> To: [email protected] > > > > > >>>>>> Subject: [rsyslog] New Pull request for liblognorm - > > additional > > > > > >>>>>> > > > > > >>>>> mmnormalize > > > > > >>>>> > > > > > >>>>>> functionality > > > > > >>>>>> > > > > > >>>>>> Just submitted the following pull request: > > > > > >>>>>> https://github.com/rsyslog/liblognorm/pull/20 > > > > > >>>>>> And I believe it could solve a lot of issues (at least, it > > > solves > > > > a > > > > > >>>>>> lot > > > > > >>>>>> > > > > > >>>>> of > > > > > >>>>> > > > > > >>>>>> mine) surrounding mmnormalize parsing in rsyslog. I'm looking > > > for > > > > > >>>>>> comments/issues/holy-crap-you-can't-code-what-are-you-doing, > > if > > > > you > > > > > >>>>>> > > > > > >>>>> guys > > > > > >>> > > > > > >>>> have any. This is my first time submitting a patch to a large > > > > project > > > > > >>>>>> > > > > > >>>>> (or > > > > > >>> > > > > > >>>> at least one where I didn't know the maintainer personally), so > > be > > > > > >>>>>> > > > > > >>>>> gentle > > > > > >>> > > > > > >>>> please :) > > > > > >>>>>> > > > > > >>>>>> Chris > > > > > >>>>>> _______________________________________________ > > > > > >>>>>> rsyslog mailing list > > > > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > >>>>>> http://www.rsyslog.com/professional-services/ > > > > > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > > by > > > a > > > > > >>>>>> > > > > > >>>>> myriad > > > > > >>> > > > > > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if > > > > you > > > > > >>>>> DON'T LIKE THAT. > > > > > >>>>> > > > > > >>>>>> > > > > > >>>>>> _______________________________________________ > > > > > >>>>> rsyslog mailing list > > > > > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > >>>>> http://www.rsyslog.com/professional-services/ > > > > > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > > by a > > > > > >>>>> myriad > > > > > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > > if > > > > > you > > > > > >>>>> DON'T LIKE THAT. > > > > > >>>>> > > > > > >>>>> _______________________________________________ > > > > > >>>> rsyslog mailing list > > > > > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > >>>> http://www.rsyslog.com/professional-services/ > > > > > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > > a > > > > > myriad > > > > > >>>> > > > > > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if > > > > you > > > > > >>> DON'T LIKE THAT. > > > > > >>> > > > > > >>>> > > > > > >>>> _______________________________________________ > > > > > >>> rsyslog mailing list > > > > > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > >>> http://www.rsyslog.com/professional-services/ > > > > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > > myriad > > > > > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if > > > > you > > > > > >>> DON'T LIKE THAT. > > > > > >>> > > > > > >>> _______________________________________________ > > > > > >> rsyslog mailing list > > > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > >> http://www.rsyslog.com/professional-services/ > > > > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad > > > > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you > > > > > >> DON'T LIKE THAT. > > > > > >> > > > > > >> _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad > > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you > > > > > > DON'T LIKE THAT. > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you > > > > > DON'T LIKE THAT. > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > > DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
