-- Regards, Janmejay PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.
On Nov 21, 2015 3:52 AM, "David Lang" <[email protected]> wrote: > > by default, mmnormalize only parsed $msg, it has an option to let you parse anything else. I posted a lengthy message yesterday talking about how I create a string $.stdmsg that includes different variables and then have mmnormalize parse it instead of $msg. > > the json generated by mmnormalize should be added to anything already in $! (if not, this needs to be an option) It already exposes a parameter as namespace for variables. , but if it's not showing up, try setting $!@timestamp after the mmnormalize statement. > > David Lang > > > > > On Fri, 20 Nov 2015, Alec Swan wrote: > >> I run mmnormalize twice because I need to use different rulebases for >> different rulesets associated with imfile input. >> >> If I move "set $!@timestamp = exec_template("timereportedrfc3339"); >> set $!host >> = $hostname;" outside of rulesets (expecting them to share those variable) >> mmnormalize just doesn't include them in JSON generated. So, I end up >> having tags from mmnormalize rulebase parsing but not the $! variables in >> JSON. >> >> On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote: >> >>> On Fri, 20 Nov 2015, Alec Swan wrote: >>> >>> Hello, >>>> >>>> >>>> I have multiple rulesets where I call mmnormalize. I noticed that I have >>>> to >>>> duplicate $! variables in each ruleset for mmnormalize to include them in >>>> the $!all-json variable. Is there a way to avoid this duplication below? >>>> >>>> template(name = "es-payload" type="list"){ >>>> property(name = "$!all-json") >>>> } >>>> >>>> ruleset(name = "cassandra-log") { >>>> >>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set >>>> $!host = $hostname;* >>>> >>>> action(type = "mmnormalize" rulebase = >>>> "/etc/rsyslog.d/rules/cassandra.log.rb")} >>>> >>>> ruleset(name = "cassandra-system") { >>>> >>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set >>>> $!host = $hostname;* >>>> >>>> action(type = "mmnormalize" rulebase = >>>> "/etc/rsyslog.d/rules/cassandra-system.log.rb")} >>>> >>> >>> my experience has been that if you have a name duplicated, it gets >>> overwritten. >>> >>> can you give an example fo the log output? >>> >>> also, why are you running mmnormalize twice instead of just combining the >>> rulebases? >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
