Ok, one way I can think of doing it: expose a parameter at action/module level which turns on defaulting and picks a default string.
Eg. action(type="mmnormalize " nullMarker="-") Where nullMarker is a string (not a char). Whenever a "-" is encountered and a field is expected, it should skip the key(the key will not be present at all) and continue matching next token onwards. Thoughts? -- Regards, Janmejay PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology. On Jan 28, 2015 6:38 AM, "David Lang" <[email protected]> wrote: > On Wed, 28 Jan 2015, singh.janmejay wrote: > > May be it'll be useful to discuss what you want to achieve with such >> representations of sample. I mean if possible, take a few samples from >> your >> existing rulebase which you think highlight the problem(s) you are facing. >> > > I think the example is the Apache logs, where Apache either puts a value, > or it puts a placeholder '-' > > if you want to capture a specific type (number or ip address for example), > you won't match a log entry that has a - in that field. > > If there are only a couple fields that are like this, you can list all the > combinations in the ruleset, but if you have a lot of fields like this, the > combinatorial explosion would make for a LOT of rules. > > So I don't think he really needs a generic 'or' allowing any types to be > combined as much as a way to say "this field could be this type or this > constant" > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
