[rsyslog-notify] Forum Thread: Re: TSV data into mongodb - (Mode 'edit_last_post')

noreply at adiscon.com noreply at adiscon.com
Mon May 11 22:02:40 CEST 2015 

User: toddaa 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25558#p25558

Message: 
----------
dlang,

Just wanted to give you a quick update to let you know where I'm at.  I
really appreciate the help you have provided and hope the following
information gives you a hint into where I'm going wrong.

I found these articles:
<!-- m --><a class="postlink"
href="http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/">http://www.rsyslog.com/normalizer-first
... normalize/</a><!-- m -->
<!-- m --><a class="postlink"
href="http://www.liblognorm.com/help/creating-a-rulebase/">http://www.liblognorm.com/help/creating-a-rulebase/</a><!--
m -->
which have been a huge help understanding how it works.  I also went and
downloaded the latest version of liblognorm to try to find these
rulebase.rb files.  I guess what I don't understand is how the data gets
back to rsyslog from liblognorm, or how do I use it in a template.  Here's
my current template:
[code:2ar3xpem]template(name="template01" type="string"
string="\"sys\":\"%hostname%\",
\"time\":\"%timereported:::date-unixtimestamp%\",
\"time_rcvd\":\"%timegenerated:::date-rfc3339%\",
\"host_ip\":\"%fromhost-ip%\",
\"syslogTag\":\"%syslogtag%\"")[/code:2ar3xpem]
This works great to a file as well as to mongodb, but there are no fields
from the original %msg% field.  I stuck in the config you provided into a
rulebase file which
reads:[code:2ar3xpem]rule=:%tokenized:\x09:char-to:\x09%[/code:2ar3xpem]I've
also tried:[code:2ar3xpem]rule=tokenized:tokenized words:
%arr:tokenized:\x09:char-to:\x09%[/code:2ar3xpem] which I
found and modified from the liblognorm source package. (not sure why
there's not as many % characters...I just changed the delimeters)  Then
modified the template to [code:2ar3xpem]template(name="template01"
type="string" string="\"sys\":\"%hostname%\",
\"time\":\"%timereported:::date-unixtimestamp%\",
\"time_rcvd\":\"%timegenerated:::date-rfc3339%\",
\"host_ip\":\"%fromhost-ip%\", \"syslogTag\":\"%syslogtag%\",
\"test\":\"%$!tokenized%\"")[/code:2ar3xpem] This results the same as
the first template.

I feel like the problem is the term %$!tokenized% in the template.  Do I
need to specify the key?  How does it know here I'm at in the data from
%msg%?

I apologize for the bombardment of questions.  Like I said...Thanks again
for providing assistance.  I'm sure you'll look at my config and be able
see exactly whats wrong.

Thanks again!  I look forward to your response.

More information about the rsyslog-notify mailing list