discarded.full discarded.nf suspended.duration ratelimit.discarded ratelimit.numratelimiters sessions.opened sessions.closed sessions.openfailed bytes.received bytes.decompressed bytes.sent
…all fall into that category. When we had Elastic we transformed the dot "." in the cases above to an underscore "_" during transmission to solve that exact issue. Now that we have a “real” SIEM we simply tell it to extract .\"bytes.sent\" I don’t think there’s really much else you can do. Regards, > On Jan 3, 2022, at 04:42, Dimi Onobodies via rsyslog > <[email protected]> wrote: > > Hi > Wish happy and productive new year to everyone. > > I am trying to send impstats to Elasticsearch however due to particular > elasticsearch cluster configuration I cannot use rsyslog elasticsearch > module. I am forced to use filebeat. > > Essestially what i am doing is to output impstats on a file (in json format) > and then use filebeat to forward the stats. I noticed the json stats > generated from impstats are not structured. For example, the "discarded" > filed in the following line is not structured as an ES object. > > { "name": "monitoring[DA]", "origin": "core.queue", "size": 0, "enqueued": 0, > "full": 0, "discarded.full": 0, "discarded.nf": 0, "maxqsize": 0 } > > Is there a way impstat could structure nested fields like: > > "discarded.full": 0, "discarded.nf": 0 > > to > > "discarded": {"full": 0, "nf": 0} > > > Thanks > D. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
