[rsyslog-notify] Forum Thread: Re: TSV data into mongodb - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue May 12 19:09:37 CEST 2015 

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25571#p25571

Message: 
----------
the fact that it's getting unparsed data means that the message doesn't
match anything in your rulebase

so do 

echo
""INFO\tstream\tplay\t2015-05-12\t10:56:27\t409963998\tclientip\t-\t3633\t3497\t0.081\t081808\t1\t0\t0\t0\t133581414\t2360.859\t081808\t-\trtmp\trtmp://host/app/\thttps://host1/script/player.swf\tapp\t1431442560"
|/usr/lib/lognorm/lognormalizer -r /etc/rsyslog.mmnormalize.rb

and work on the rulebase until you get one that matches the rule.

the unparsed data section shows how far it got in parsing the message. In
this case it didn't get anywhere.

in this case, it looks like it's not actually containing tabs, but instead
containing the literals '\t'

it looks to me like there's a bug here. I almost get it to work like this:

# cat del5
rule=:%fields:tokenized:\\:char-to:\\%\\t%test:word%
# echo
"INFO\tstream\tplay\t2015-05-12\t10:56:27\t409963998\tclientip\t-\t3633\t3497\t0.081\t081808\t1\t0\t0\t0\t133581414\t2360.859\t081808\t-\trtmp\trtmp://host/app/\thttps://host1/script/player.swf\tapp\t1431442560"
|/usr/lib/lognorm/lognormalizer -r del5 -e json -T 
{ "test": "1431442560", "fields": [ "INFO", "tstream", "tplay",
"t2015-05-12", "t10:56:27", "t409963998", "tclientip", "t-", "t3633",
"t3497", "t0.081", "t081808", "t1", "t0", "t0", "t0", "t133581414",
"t2360.859", "t081808", "t-", "trtmp", "trtmp:\/\/host\/app\/",
"thttps:\/\/host1\/script\/player.swf", "tapp" ] }

but if I change the rulebase to:
rule=:%fields:tokenized:\\t:char-to:\\%\\t%test:word%
it only matches the first field (INFO) and I get this instead:
# echo
"INFO\tstream\tplay\t2015-05-12\t10:56:27\t409963998\tclientip\t-\t3633\t3497\t0.081\t081808\t1\t0\t0\t0\t133581414\t2360.859\t081808\t-\trtmp\trtmp://host/app/\thttps://host1/script/player.swf\tapp\t1431442560"
|/usr/lib/lognorm/lognormalizer -r del5 -e json -T 
{ "test":
"stream\\tplay\\t2015-05-12\\t10:56:27\\t409963998\\tclientip\\t-\\t3633\\t3497\\t0.081\\t081808\\t1\\t0\\t0\\t0\\t133581414\\t2360.859\\t081808\\t-\\trtmp\\trtmp:\/\/host\/app\/\\thttps:\/\/host1\/script\/player.swf\\tapp\\t1431442560",
"fields": [ "INFO" ] }

More information about the rsyslog-notify mailing list