On Fri, 2 Dec 2016, Rainer Gerhards wrote:

2016-12-02 8:27 GMT+01:00 David Lang <da...@lang.hm>:
On Fri, 2 Dec 2016, Rainer Gerhards wrote:

What exactly do you do with the variables you set inside the if body?
Are they always the same? Where does the data originate from?

I try to understand the scenario better, because I vaguely think I may
be able to find a much simpler solution which would require possible
minimal code changes. But I can't express myself clearer at the
moment, it's more a gut feeling.

It would be good if you could post some *concrete* example of three or
four of the if blocks, that would definitely aid understanding.


he gave a couple of examples a while back.

An example would be populating one variable from several possible sources,
depending on the log type. In some cases it may require combining multiple
variables so it can't be solved in the parser

These "possible sources" and "log type" and "multiple variables" are
exactly what I would like to clarify. Depending on the fine details,
there may be a simple solution, maybe not. At least something to think
about. I am thinking about someting along the lines of e.g. imfile
input with an extra metadata parameter, e.g.

metadata=["!var=foo", "!bar=another text"]

while that would be very useful, it's not this situation. In this case he is able to deal with this by setting tag to a structured value and then parse it later rather than setting multiple metadata values.

In this case, we're working much later in the process, where it doesn't matter that the source was from an imfile. It's working with the data after it's been parsed by mmnormalize and then cleaning up the things where different logs still result in non-normalized data.

This could be because the source came in with names already (json, cef, name-value, etc), or because you need to take multiple fields in the log and combine them.

if the liblognorm ruleset ammend=: line could assign variable contents, not just constant strings, it would address 90% of the issues.

David Lang

But for me it is very hard to really think about it without a concrete
case. Looking at an abstract level, things seem easy, but the rest of
the conversation indicates to me that the abstraction may not
necessarily be correct, so I would like to see the dirty *real life,
real code" that shall be used.


along the lines of:

if type = 1 then
  set var = $foo
else if type = 2 then
  set var = $bar
else if type = 3 then
  set var = $baz + $bar

another thing that can be done in this sort of structure is to save
different logs in different places (type 1 & 2 go in dir A, type 3 goes in
dir B)

or writing the different logs using different templates.

If you look at the rules that I had, you see that I did a lot of that type
of thing. But I just did it as if statements

Again, it's all to abstract to keep me thinking further into that direction.

I want to avoid that I abstract something based on an already
abstracted idea which might not 100% match reality.

Hope this clarifies,
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to