Hi, just out of interest: what is/should be the expected behaviour of the raw message strategy "ENVELOPE"?
- Should a parser with this strategy only accept message that were already pre-processed by another parser? - Or should parser like this accept both? Direct ingests as well as ingests that are chained from a previous parser? Imagine you have 2 different log sources. One adds a syslog header the other doesn't. Example message from source 1: "<86>Dec 3 18:25:10 my.hostname.com This is the message" Example message from source 2: "This is the other message". Assumption is, that both "This is the message" and "This is the other message" can be parsed using the same pattern. Would I/Should I need to use 3 Kafka topics (1 for the syslog parser, 1 for the chained parser and another identical for the direct ingestion) or 2 Kafka topics (1 for the syslog parser, 1 for both, the enveloped/chained source and the "default" source). Appreciate your thoughts and comments. Best, Stefan -- Stefan Kupstaitis-Dunkler https://datahovel.com/ https://www.meetup.com/Hadoop-User-Group-Vienna/ https://twitter.com/StefanDunkler
