[rsyslog-notify] Forum Thread: Re: TSV data into mongodb - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Mon May 11 21:38:22 CEST 2015
User: toddaa
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25558#p25558
Message:
----------
dlang,
Just wanted to give you a quick update to let you know where I'm at. I
really appreciate the help you have provided and hope the following
information gives you a hint into where I'm going wrong.
I found these articles:
<!-- m --><a class="postlink"
href="http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/">http://www.rsyslog.com/normalizer-first
... normalize/</a><!-- m -->
<!-- m --><a class="postlink"
href="http://www.liblognorm.com/help/creating-a-rulebase/">http://www.liblognorm.com/help/creating-a-rulebase/</a><!--
m -->
which have been a huge help understanding how it works. I also went and
downloaded the latest version of liblognorm to try to find these
rulebase.rb files. I guess what I don't understand is how the data gets
back to rsyslog from liblognorm, or how do I use it in a template. Here's
my current template:
[code:2ar3xpem]template(name="WowzaFormat1" type="string"
string="\"sys\":\"%hostname%\",
\"time\":\"%timereported:::date-unixtimestamp%\",
\"time_rcvd\":\"%timegenerated:::date-rfc3339%\",
\"host_ip\":\"%fromhost-ip%\",
\"syslogTag\":\"%syslogtag%\"")[/code:2ar3xpem]
This works great to a file as well as to mongodb, but there are no fields
from the original %msg% field. I stuck in the config you provided into a
rulebase file which
reads:[code:2ar3xpem]rule=:%tokenized:\x09:char-to:\x09%[/code:2ar3xpem]I've
also tried:[code:2ar3xpem]rule=tokenized:tokenized words:
%arr:tokenized:\x09:char-to:\x09%[/code:2ar3xpem] which I
found and modified from the liblognorm source package. (not sure why
there's not as many % characters...I just changed the delimeters) Then
modified the template to [code:2ar3xpem]template(name="WowzaFormat1"
type="string" string="\"sys\":\"%hostname%\",
\"time\":\"%timereported:::date-unixtimestamp%\",
\"time_rcvd\":\"%timegenerated:::date-rfc3339%\",
\"host_ip\":\"%fromhost-ip%\", \"syslogTag\":\"%syslogtag%\",
\"test\":\"%$!tokenized%\"")[/code:2ar3xpem] This results the same as
the first template.
I feel like the problem is the term %$!tokenized% in the template. Do I
need to specify the key? How does it know here I'm at in the data from
%msg%?
I apologize for the bombardment of questions. Like I said...Thanks again
for providing assistance. I'm sure you'll look at my config and be able
see exactly whats wrong.
Thanks again! I look forward to your response.
More information about the rsyslog-notify
mailing list