On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:
We have found several issues with our relp-file-elastic relay config. Hope
you can help us.
template(name="json" type="string" string="%$!data%\n")
ruleset(name="to-index"){
set $!data=$msg;
set $!data!dummy_host=$hostname;
set $!data!foo="foo";
action(type="omfile" template="json"...)
}
Doesn't seem to add myhost/foo to file:
{ "app": "app1", "file": "\/logs\/apps\/app.log", "group":
"mygroup", "msg": "redacted" }
you are getting confused over the difference between a string that looks like
json and an actual json structure.
If you output things using RSYSLOG_DebugFormat I think you would see the issue.
you set $!data = the message string, which is '{ "app": "app1", "file":
"\/logs\/apps\/app.log", "group": "mygroup", "msg": "redacted" }'
and then you try to add items to the $!data structure, but it's not a structure,
it's a string.
you would need to parse the $msg and turn it into a structure (mmjsonparse or
mmnormalize)
If you were to create the ruleset
version=2
rule=:%.:json%
rule=: %.:json%
# this covers both having and not having a leading space in $msg)
then do
action(type="mmnormalize" path="data")
this would populate $!data with the structure parsed out of $msg.
mmjsonparse puts the parsed data at $! (not configurable), and there are
currently bugs in using $! in a set statement, so you would need to change your
config to work with $! isntead of $!data is you use mmjsonparse to parse the
message.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
