On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:
set $!data=$msg;
you are getting confused over the difference between a string that looks
like json and an actual json structure.
Sorry, I was.
action(type="mmnormalize" path="data")
this would populate $!data with the structure parsed out of $msg.
mmjsonparse puts the parsed data at $! (not configurable), and there are
currently bugs in using $! in a set statement, so you would need to change
your config to work with $! instead of $!data if you use mmjsonparse to
parse the message.
Actually using set $!foo="foo"; solved the issue.
I suspect you needed to make more changes than that, so I don't know what your
config looks like now...
May I know what bugs could cause problems if we do:
action(type="mmjsonparse"...)
set $!foo="bar";
none that I lknow of.
Another questions:
When using RELP, we have noticed errors could be propagated to origin. If
queue is full and not discarding any messages, it may cause troubles on
origin rsyslog.
yes, when a queue fills up and you have told rsyslog not to discard any
messages, rsyslog is no longer able to accept any new messages. This means that
things trying to delvier messages to rsyslog pause because they cannot get the
confirmation that their message is accepted.
This is per design and what you would want to have happen
According to some list comments, using an intermediate file
could solve the issue. So:
imrelp->mmjson+mmnormalize+changes->imfile->omelasticsearch
a better way is to create a disk assisted queue rather than writing to a text
file and then reading it in again.
We are using mmjson upon reception, and because elastic is expecting json, we
are ALSO using mmjson after imfile read.
Is there any way to prevent this redundancy?(AKA: parsing to json twice)
don't serialize the json data to a text stream (in a file) such that you need to
treat it as unknown data again when it's read???
(again, it's a problem of "doctor, it hurts when I hit my head with a hammer"
:-)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
