On Wed, Apr 15, 2015 at 6:25 PM, Dave Caplinger < [email protected]> wrote:
> On Apr 14, 2015, at 11:43 PM, David Lang <[email protected]> wrote: > > > > On Wed, 15 Apr 2015, Ezell, Matthew A. wrote: > > > [...] > > what I do is to take whatever message was output and then run mmjsonparse > > against it. If it's cee JSON (insert grumble about the requirement for > the cee > > cookie ;-) I have all the variables, but no $!msg field. If I have a > $!msg > > field, then I parse it using mmnormalize to extract variables from it. > If there > > isn't a $!msg field, I set $!msg=$mesg so that I have something I can > spit out > > when I'm doing a 'plain' logfile. > > > > I also add metadata to the JSON (fromhost-ip, received time, hostname of > relay, > > and an environment tag so that later on I can trivially tell the > difference > > between dev and prod copies of the same software) > > We do something very similar to this, and I suspect so do other > high-volume Rsyslog users such as Radu at Sematext. > Yes, we actually check whether parsing worked: if $parsesuccess == "OK" then ... and use different templates for JSON and non-JSON messages. For JSON ones we use the $!all-json variable to get us all parsed properties. You could also use the jsonmesg property to get everything (parsed + syslog variables) but some info will be duplicated that way. Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

