On Wed, 28 Jan 2015, singh.janmejay wrote:
May be it'll be useful to discuss what you want to achieve with such representations of sample. I mean if possible, take a few samples from your existing rulebase which you think highlight the problem(s) you are facing.
I think the example is the Apache logs, where Apache either puts a value, or it puts a placeholder '-'
if you want to capture a specific type (number or ip address for example), you won't match a log entry that has a - in that field.
If there are only a couple fields that are like this, you can list all the combinations in the ruleset, but if you have a lot of fields like this, the combinatorial explosion would make for a LOT of rules.
So I don't think he really needs a generic 'or' allowing any types to be combined as much as a way to say "this field could be this type or this constant"
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
