On Wed, Apr 15, 2015 at 6:25 PM, Dave Caplinger <
[email protected]> wrote:

> On Apr 14, 2015, at 11:43 PM, David Lang <[email protected]> wrote:
> >
> > On Wed, 15 Apr 2015, Ezell, Matthew A. wrote:
> >
>
[...]

> > what I do is to take whatever message was output and then run mmjsonparse
> > against it. If it's cee JSON (insert grumble about the requirement for
> the cee
> > cookie ;-) I have all the variables, but no $!msg field. If I have a
> $!msg
> > field, then I parse it using mmnormalize to extract variables from it.
> If there
> > isn't a $!msg field, I set $!msg=$mesg so that I have something I can
> spit out
> > when I'm doing a 'plain' logfile.
> >
> > I also add metadata to the JSON (fromhost-ip, received time, hostname of
> relay,
> > and an environment tag so that later on I can trivially tell the
> difference
> > between dev and prod copies of the same software)
>
> We do something very similar to this, and I suspect so do other
> high-volume Rsyslog users such as Radu at Sematext.
>

Yes, we actually check whether parsing worked:

if $parsesuccess == "OK" then
...

and use different templates for JSON and non-JSON messages. For JSON ones
we use the $!all-json variable to get us all parsed properties. You could
also use the jsonmesg property to get everything (parsed + syslog
variables) but some info will be duplicated that way.

Best regards,
Radu
-- 
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to