Re: [rsyslog] mmnormalize with mutiple input: conditionals?

[mosto...@gmail.com]

I don't know if this is what you are asking for...

3421.997587883:main Q:Reg/w0  :     SET !data!aapp =
3421.997596172:main Q:Reg/w0  :       function 'field' (id:9, params:3)
3421.997607766:main Q:Reg/w0  :         var 'programname'
3421.997687716:main Q:Reg/w0  :         47
3421.997714715:main Q:Reg/w0  :         2
3421.997728731:main Q:Reg/w0  :     END SET



El 30/11/16 a las 22:32, Rainer Gerhards escribió:

Can you show what the properties are for this message?

Sent from phone, thus brief.

Am 30.11.2016 20:18 schrieb "mosto...@gmail.com" <mosto...@gmail.com>:

Hi

I'm still not able to get it, and *perhaps reproduced an issue related to
properties not being accessible*...
Consider the following relay.conf:

    global(
    MaxMessageSize="32k"
    workDirectory="/var/spool/rsyslog"
    parser.escapeControlCharactersOnReceive="off"
    )

    template(
         name="json"
    string="<%pri%>%timestamp:::date-rfc3339% %hostname%
    logs/%$!data!group%/%$!data!aapp%: %$!data%"
         type="string"
    )

    module(load="omrelp")
    ruleset(name="relp") {
         set $!data!aapp=field($programname,"/",2);
         set $!data!file="$!metadata!filename";
         set $!data!group=field($programname,"/",1);
         set $!data!msg=$msg;
         action(
    action.reportSuspension="on"
    action.resumeRetryCount="-1"
    port="20514"
    queue.maxdiskspace="5M"
    queue.SaveOnShutdown="on"
    queue.type="LinkedList"
    target="server"
    template="json"
    type="omrelp"
         )
    }
    ruleset(name="apps") {
         call relp
         stop
    }

    module(load="imfile")

    input(type="imfile" file="/logs/apache/app1/app.log"
    tag="group/app1" addMetadata="on" ruleset="apps"
    PersistStateInterval="1")

    input(type="imfile" file="/logs/apache/app2/app.log"
    tag="group/app2" addMetadata="on" ruleset="apps"
    PersistStateInterval="1")
    ruleset(name="app_server1") {
         set $!data!containerApps="app1,app2";
         call relp
         stop
    }

    input(type="imfile" file="/logs/server1/app1.log"
    tag="group1/server1" addMetadata="on" ruleset="app_server1"
    startmsg.regex="^####" readTimeout="5" PersistStateInterval="1")
    input(type="imfile" file="/logs/server1/app2.log"
    tag="group1/server1" addMetadata="on" ruleset="app_server1"
    startmsg.regex="^####" readTimeout="5" PersistStateInterval="1")

    ruleset(name="app_server2") {
         set $!data!containerApps="app2,app3";
         call relp
         stop
    }
    input(type="imfile" file="/logs/server2/app2.log"
    tag="group2/server2" addMetadata="on" ruleset="app_server2"
    startmsg.regex="^####" readTimeout="5" PersistStateInterval="1")
    input(type="imfile" file="/logs/server2/app3.log"
    tag="group2/server2" addMetadata="on" ruleset="app_server2"
    startmsg.regex="^####" readTimeout="5" PersistStateInterval="1")


With this configuration I'm getting messages like:

    200 syslog 911 <133>2016-11-30T20:02:30.210405+01:00 my-rsyslog
    logs/group/***FIELD NOT FOUND***: { "aapp": "***FIELD NOT FOUND***",
    "file": "\/logs\/apache\/app1\/app.log", "group": "group", "msg":
    "17 mar 2016 13:27:28,934  INFO REDACTED..." }


Why /aapp/ field isn't found?

Regards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.