I tied setting $!@timestamp at the very bottom of the file but mmnormalize calls from inside rulesets did not pick those up. I ran multiple tests and confirmed that $!@timestamp has to be set within the ruleset where mmnormalize is called in order for the JSON produced by mmnormalize to have @timestamp element. It's not a big deal, but I wish regular variable scoping rules applied to rulesets as well.
Thanks! On Fri, Nov 20, 2015 at 3:22 PM, David Lang <[email protected]> wrote: > by default, mmnormalize only parsed $msg, it has an option to let you > parse anything else. I posted a lengthy message yesterday talking about how > I create a string $.stdmsg that includes different variables and then have > mmnormalize parse it instead of $msg. > > the json generated by mmnormalize should be added to anything already in > $! (if not, this needs to be an option), but if it's not showing up, try > setting $!@timestamp after the mmnormalize statement. > > David Lang > > > > On Fri, 20 Nov 2015, Alec Swan wrote: > > I run mmnormalize twice because I need to use different rulebases for >> different rulesets associated with imfile input. >> >> If I move "set $!@timestamp = exec_template("timereportedrfc3339"); >> set $!host >> = $hostname;" outside of rulesets (expecting them to share those variable) >> mmnormalize just doesn't include them in JSON generated. So, I end up >> having tags from mmnormalize rulebase parsing but not the $! variables in >> JSON. >> >> On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote: >> >> On Fri, 20 Nov 2015, Alec Swan wrote: >>> >>> Hello, >>> >>>> >>>> I have multiple rulesets where I call mmnormalize. I noticed that I have >>>> to >>>> duplicate $! variables in each ruleset for mmnormalize to include them >>>> in >>>> the $!all-json variable. Is there a way to avoid this duplication below? >>>> >>>> template(name = "es-payload" type="list"){ >>>> property(name = "$!all-json") >>>> } >>>> >>>> ruleset(name = "cassandra-log") { >>>> >>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set >>>> $!host = $hostname;* >>>> >>>> action(type = "mmnormalize" rulebase = >>>> "/etc/rsyslog.d/rules/cassandra.log.rb")} >>>> >>>> ruleset(name = "cassandra-system") { >>>> >>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set >>>> $!host = $hostname;* >>>> >>>> action(type = "mmnormalize" rulebase = >>>> "/etc/rsyslog.d/rules/cassandra-system.log.rb")} >>>> >>>> >>> my experience has been that if you have a name duplicated, it gets >>> overwritten. >>> >>> can you give an example fo the log output? >>> >>> also, why are you running mmnormalize twice instead of just combining the >>> rulebases? >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
