--
Regards,
Janmejay

PS: Please blame the typos in this mail on my phone's uncivilized soft
keyboard sporting it's not-so-smart-assist technology.

On Nov 21, 2015 3:52 AM, "David Lang" <[email protected]> wrote:
>
> by default, mmnormalize only parsed $msg, it has an option to let you
parse anything else. I posted a lengthy message yesterday talking about how
I create a string $.stdmsg that includes different variables and then have
mmnormalize parse it instead of $msg.
>
> the json generated by mmnormalize should be added to anything already in
$! (if not, this needs to be an option)
It already exposes a parameter as namespace for variables.

, but if it's not showing up, try setting $!@timestamp after the
mmnormalize statement.
>
> David Lang
>
>
>
>
>  On Fri, 20 Nov 2015, Alec Swan wrote:
>
>> I run mmnormalize twice because I need to use different rulebases for
>> different rulesets associated with imfile input.
>>
>> If I move "set $!@timestamp = exec_template("timereportedrfc3339");
>> set $!host
>> = $hostname;" outside of rulesets (expecting them to share those
variable)
>> mmnormalize just doesn't include them in JSON generated. So, I end up
>> having tags from mmnormalize rulebase parsing but not the $! variables in
>> JSON.
>>
>> On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote:
>>
>>> On Fri, 20 Nov 2015, Alec Swan wrote:
>>>
>>> Hello,
>>>>
>>>>
>>>> I have multiple rulesets where I call mmnormalize. I noticed that I
have
>>>> to
>>>> duplicate $! variables in each ruleset for mmnormalize to include them
in
>>>> the $!all-json variable. Is there a way to avoid this duplication
below?
>>>>
>>>> template(name = "es-payload" type="list"){
>>>>    property(name = "$!all-json")
>>>> }
>>>>
>>>> ruleset(name = "cassandra-log") {
>>>>
>>>> *    set $!@timestamp = exec_template("timereportedrfc3339");    set
>>>> $!host = $hostname;*
>>>>
>>>>    action(type = "mmnormalize" rulebase =
>>>> "/etc/rsyslog.d/rules/cassandra.log.rb")}
>>>>
>>>> ruleset(name = "cassandra-system") {
>>>>
>>>> *    set $!@timestamp = exec_template("timereportedrfc3339");    set
>>>> $!host = $hostname;*
>>>>
>>>>    action(type = "mmnormalize" rulebase =
>>>> "/etc/rsyslog.d/rules/cassandra-system.log.rb")}
>>>>
>>>
>>> my experience has been that if you have a name duplicated, it gets
>>> overwritten.
>>>
>>> can you give an example fo the log output?
>>>
>>> also, why are you running mmnormalize twice instead of just combining
the
>>> rulebases?
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to