I have a misbehaving source which is sending a non-compliant CEF events.
The events have an extra field where it shouldn't and therefore the
events get misinterpreted further down the pipeline.
So the question is - what is the most "rsyslog-way" to delete a single
pipe-delimited field from the middle of the event.
The event typically looks this way:
<PRI>Date time host
CEF:0|Company|Product|Version|Module|extra_field|alert|priority|extended_part
I want to cut the extra_field away.
Since the fields are pipe-delimited, it's tempting to use field() but
there are two problems with this approach:
1. As far as I remember, you can't return a set of fields with field().
Just a single field. So I'd have to iterate over some counter and
assemble the resulting event from single fields. Not very nice.
2. If the extended_part contained by any chance a pipe character, it
would cut tha part short. So I can't even make a static list of field to
iterate over but I'd have to find how many fields are there. Even uglier.
The other approach I could consider is obviously re_match(). It seems
simpler in terms of the idea but regex (and I think I'd need to call it
twice to match both sides of the field I want to cut) seems a bit heavy
performancewise for such a small task.
Any better ideas?
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
