If you say "split this string with X and the sections are type blah", not
splitting on X just doesn't make sense.
If you said, "this is one or more things of type blah that will be separated by
X" then it could make sense to include X inside blah.
But tokenize is described as the first case, not the second. And in any case,
saying 'X is the delimiter between values' and then not using X as the delimiter
is going to be confusing.
David Lang
On Sat, 30 May 2015, singh.janmejay wrote:
Date: Sat, 30 May 2015 16:43:52 +0530
From: singh.janmejay <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] liblognorm tokenize issue
I guess json or cef should just work. Because when the json object ends,
it'll stop matching, so it'll work with tokenize just fine.
--
Regards,
Janmejay
PS: Please blame the typos in this mail on my phone's uncivilized soft
keyboard sporting it's not-so-smart-assist technology.
On May 30, 2015 1:23 PM, "Chris Schafer" <[email protected]> wrote:
I'm currently being affected by this same issue, and would love to see a
resolution!
Either this (having tokenized auto-separate the strings) or being able to
specify multiple characters the char-to would stop at (so stop at the first
occurance of & OR | with char-to:&|)
On Fri, May 29, 2015 at 10:26 AM David Lang <[email protected]> wrote:
this doesn't solve the problem because it can only return a string.
I want to tokenize and then use something more complex (json,
name-value-list,
iptables, cef, etc)
David Lang
On Fri, 29 May 2015, singh.janmejay wrote:
Should we have an optional argument in word: except.
Eg.
%foo:word:&%%bar:word%
Given baz&quux will give us:
{"foo" : "baz", "bar": "quux"}
If we take multiple chars (allow escaped unicode sequences), we can
say the default value of this field is 'space' and 'tab'.
On Fri, May 29, 2015 at 1:38 AM, David Lang <[email protected]> wrote:
I think that the config
rule=:%foo:tokenized:&:word%
against the string
"1&2&3"
should return
{ "foo": [ "1", "2", "3" ] }
but instead it returns
{ "foo": [ "1&2&3" ] }
because 'word' is applied before the split of tokenized.
If I change 'word' to 'number' it performs as expected (returning
three
values)
this can be worked around by doing
rule=:%foo:tokenized:&:char-sep:&%
but this is ugly, and it prevents doing anything smarter (such as a
descent
or recursive that would be able to split a name-value pair)
https://github.com/rsyslog/liblognorm/issues/64
filed for this.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
