On Wed, 12 Dec 2018, Lavanya Kanchanapalli via rsyslog wrote:
Hi, I am trying to get mmnormalize work with examples given in liblognorm documentation <https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#json>. Using lognormaizer <http://www.liblognorm.com/files/manual/lognormalizer.html> tool I found that the rulebase and parsing is working as expected. I tried to use the parsed text in my template to compose an output. According to this recipe example <https://www.rsyslog.com/log-normalization-for-different-formats/> the text is stored in "usr" subtree and can be accessed using $!usr!<fieldname>. As shown below (highlighted) using $!usr!field2 did not work. Can you please suggest what might be missing?
first thing, write the logs out with the template RSYSLOG_DebugFormat and you can see exactly what is there.
With any mmnormalize problem, a copy fo the debugformat log is extremely useful to see what mmnormalize is actually doing.
In general, text not captured in variables is not available to you. There is an option to make the rule that is matched into a variable, and you always have the raw line.
but a debugformat log before you run mmnormalize and after will let us see what you had, and what was created.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
