I have a record which looks like this:
{"log":"{\"type\":\"response\",\"@timestamp\":\"2018-03-12T18:33:17Z\",\"tags\":[],\"pid\":66,\"method\":\"head\",\"statusCode\":200,\"req\":{\"url\":\"\/\",\"method\":\"head\",\"headers\":{\"user-agent\":\"curl\/7.29.0\",\"host\":\"localhost:5601\",\"accept\":\"*\/*\"},\"remoteAddress\":\"127.0.0.1\",\"userAgent\":\"127.0.0.1\"},\"res\":{\"statusCode\":200,\"responseTime\":1,\"contentLength\":9},\"message\":\"HEAD
\/ 200 1ms - 9.0B\"}"
I use mmjsonparse to parse it. I then want to parse the embedded json
string in the "log" field.
If I use mmnormalize like this:
action(type="mmnormalize"
ruleBase="/etc/rsyslog.d/viaq/parse_json.rulebase" variable="$!log")
With a rule like this:
rule=:%payload:json%
I get a record which looks like this:
"payload":{"type":"response","@timestamp":"2018-03-12T18:33:17Z",....
so $!payload!type, $!payload!@timestamp, etc.
But what I want to have is type, @timestamp, etc. as top level fields e.g.
$!type, $!@timestamp, etc.
I have tried this:
foreach ($.ii in $!payload) do {
set $! = $.ii;
}
unset $!payload;
But that does not work. I also tried `set $! = $!payload;` but that
didn't work either. What I really want is something like this:
foreach ($.ii in $!payload) do {
set $!{$.ii!key} = $.ii!value;
}
unset $!payload;
I can't just do
set $!type = $!payload!type; etc. etc.
because the contents of the payload may be different each time.
I think the new parse_json function might work but I'm stuck on rhel7 ==
rsyslog 8.24.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
