I guess json or cef should just work. Because when the json object ends, it'll stop matching, so it'll work with tokenize just fine.
-- Regards, Janmejay PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology. On May 30, 2015 1:23 PM, "Chris Schafer" <[email protected]> wrote: > I'm currently being affected by this same issue, and would love to see a > resolution! > Either this (having tokenized auto-separate the strings) or being able to > specify multiple characters the char-to would stop at (so stop at the first > occurance of & OR | with char-to:&|) > > On Fri, May 29, 2015 at 10:26 AM David Lang <[email protected]> wrote: > > > this doesn't solve the problem because it can only return a string. > > > > I want to tokenize and then use something more complex (json, > > name-value-list, > > iptables, cef, etc) > > > > David Lang > > > > On Fri, 29 May 2015, singh.janmejay wrote: > > > > > Should we have an optional argument in word: except. > > > > > > Eg. > > > > > > %foo:word:&%%bar:word% > > > > > > Given baz&quux will give us: > > > > > > {"foo" : "baz", "bar": "quux"} > > > > > > If we take multiple chars (allow escaped unicode sequences), we can > > > say the default value of this field is 'space' and 'tab'. > > > > > > On Fri, May 29, 2015 at 1:38 AM, David Lang <[email protected]> wrote: > > >> I think that the config > > >> > > >> rule=:%foo:tokenized:&:word% > > >> > > >> against the string > > >> > > >> "1&2&3" > > >> > > >> should return > > >> { "foo": [ "1", "2", "3" ] } > > >> > > >> but instead it returns > > >> > > >> { "foo": [ "1&2&3" ] } > > >> > > >> because 'word' is applied before the split of tokenized. > > >> > > >> If I change 'word' to 'number' it performs as expected (returning > three > > >> values) > > >> > > >> this can be worked around by doing > > >> > > >> rule=:%foo:tokenized:&:char-sep:&% > > >> > > >> but this is ugly, and it prevents doing anything smarter (such as a > > descent > > >> or recursive that would be able to split a name-value pair) > > >> > > >> https://github.com/rsyslog/liblognorm/issues/64 > > >> > > >> filed for this. > > >> > > >> David Lang > > >> > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of > > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T > > >> LIKE THAT. > > > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
