On Fri, 25 Nov 2016, mosto...@gmail.com wrote:
string="<%pri%>%timestamp:::date-rfc3339% %hostname%
logs/$!data!group/$!data!app: %$!data%") to be fully correct
Done.
also watch out, the programname is limited to 32 characters, don't let your
group and app names get too long.
Wasn't it possible to change that? IIRC we had some issues with
hostnames/tags being too long and were able to handle longer.
Anyway, we'll try to stay within boundaries.
since you changed the programname to be logs/group/app this would be field
3
Are you sure?
*ruleset apps* is invoked for each input using TAG=group/app, and AFTER that
ruleset relp uses template json, which prefix "logs/"
I may be confused about which part is on the sender and which part is on the
receiver.
*# Is addMetadata="on" needed in order to use $!metadata!filename?*
I think so.
As I'm double checking everything while updating docs, I would love to have a
more confident statement on this. Rainer?
the easiest thing is to try it :-)
correct, although mmjsonparse defaults to needing @cee: in front of the
json, so the line below needs to be changed to:
module(load="mmjsonparse" cookie="")
I forgot! Nice catch (...I'll have to check if cookie goes in module or
action...)
it should be action, sorry
*# Once all operations have ended, it should be indexed**
**# Is there any way apps not only define rules, but aditional
transformations?**
**# I guess having a .conf file with if+ruleset could work...*
no, the mmnormalize ruleset cannot apply any transformations. I would
probably try to do that on the sending side if I could.
That's why I played with rulesets to make something like
a.conf
normalize
add some fields
b.conf
normalize
c.conf
normalize
remove some fields
That would make the combination script behave differently
adding fields you may be able to do with the ammend= capabilities in the ruleset
if you don't want a field to be reported, give it the name '-' in the ruleset.
unfortunantly, you can't rename fields or copy fields in the ruleset.
*# It is possible to use $!index here? Workaround?**
this is what dynsearchindex and dynparent are for.
so: dynSearchIndex="on" searchIndex="mytemplate" and template="$!index",
right?
yep.
**# How could EACH app specify his own index pattern?**
they can't directly, but the template can be "%$.manual%" and you use
rainerscript commands to set $.manual to whatever you want it to me
(another good use for a lookup table if it's complex enough ;-)
I didn't understand this...but having each app.conf file could also work.
you can do
set ...
set ...
action()
but not
action(set)
set is a statement, action is a statement. Action takes parameters, but not
statements inside the ()
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.