Action level param doesn't necessarily mean it can be used only via
rsyslog. Im thinking of it similar to allowRegex param, which can be used
with liblognorm command-line or anyone else that uses it as a library.
It'll have to be something which is passed at the time of normalizing each
event though.
About the parse-tree, it will have to back-track when multiple branches
from the same node match the content. It doesn't happen often, but with a
larger rulebase the probability of having such nodes in the tree increases
too.
Consider this case:
rule=:%foo:char-to:#%# %bar:number%
rule=:%foo:char-to:,%,# %baz:rest%
Given input 'foo,# 10a' it has to backtrack, so it'll traverse both paths.
foo -> bar [no 'a' so it'll fail]
|-> baz (success)
About using nullMarker in one case and not using it in another, it only
allows one to be a little more restrictive in enforcing presence of certain
fields. But I agree with you in that it is not very useful.
On the other hand, if we really want to do it at the field level one way to
do it could be %foo:nullable:-:number% or %foo:nullable:-:char-to:@% etc.
This introduces a first-class concept of null-ability of a field. The
advantage is other things such as publish the key with a null value or
don't add the key at all can be easily handled here (as options to nullable
field).
On Wed, Jan 28, 2015 at 4:47 PM, David Lang <[email protected]> wrote:
> On Wed, 28 Jan 2015, Kendall Green wrote:
>
> But I understand the number of combinations / per rule in a rulebase,
>> would affect performance.
>>
>
> This is actually not the case (at least unless you use regex types)
>
> This is the power of liblognorm and why it isn't just a 'typical' regex
> engine
>
> liblognormcompiles the ruleset into a parse three. With that parse tree,
> processing a message is (alost*) as simple as 'start at the beginning of
> the log message, look at the first character and pick what branch to take,
> look at the next character ans pick what branch to take... hit the end of
> the string or the tree and you have finished parsing the message
>
> so it doesn't matter if a ruleset has 10 entries or 10000 entries, the
> time taken to process a log message against it is the same, how long it
> takes to walk the length of the message.
>
> David Lang
>
>
> * The almost is because the fact that you are gathering data into tags
> mean that there is a timeframe when you may be dealing with two branches of
> the tree, one where the data is part of a tag, and one where it's a
> constant. And the subtleties of this are why it's so useful to have this as
> a library.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
--
Regards,
Janmejay
http://codehunk.wordpress.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
