[rsyslog-notify] Forum Thread: Re: TSV data into mongodb - (Mode 'edit_last_post')
noreply at adiscon.com
noreply at adiscon.com
Wed May 13 17:48:00 CEST 2015
User: toddaa
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25592#p25592
Message:
----------
dlang,
I found this: <!-- m --><a class="postlink"
href="http://blog.gerhards.net/2012/04/mongodb-bson-and-templates.html">http://blog.gerhards.net/2012/04/mongod
... lates.html</a><!-- m --> Looks like Rainer has had request/idea but
thats from a few years ago. I'm not sure if it was ever completed or not,
or if my version of the module is too old to include it. Also found this
one: <!-- m --><a class="postlink"
href="http://www.gossamer-threads.com/lists/rsyslog/users/7288">http://www.gossamer-threads.com/lists/r
... users/7288</a><!-- m --> I believe thats you that commented there.
Still...a little old.
In any case. For now I just changed the names of the fields in my
mmnormalize rulebase to what I want to see it mongodb. That should be
fine.
I did however find yet another question about mmnormalize I was hoping you
could help with. Currently everything is returned as a string. Can
certain fields be returned or converted into an int before going into the
mongodb? Here's my current rule and output:
[code:2qz6as4r]# cat /etc/rsyslog.mmnormalize.rb
rule=:%xseverity:char-to:,%,%xcategory:char-to:,%,%xevent:char-to:,%,%wdate:char-to:,%,%wtime:char-to:,%,%cclientid:char-to:,%,%cip:char-to:,%,%cport:char-to:,%,%csbytes:char-to:,%,%scbytes:char-to:,%,%xduration:char-to:,%,%xsname:char-to:,%,%xstreamid:char-to:,%,%xspos:char-to:,%,%scstreambytes:char-to:,%,%csstreambytes:char-to:,%,%xfilesize:char-to:,%,%xfilelength:char-to:,%,%xctx:char-to:,%,%xcomment:char-to:,%,%cproto:char-to:,%,%suri:char-to:,%,%creferrer:char-to:,%,%xapp:char-to:,%,%systimelong:number%
# echo
"INFO,stream,play,2015-05-12,13:10:35,1383311350,clientip,-,3633,3497,0.084,081808,1,0,0,0,133581414,2360.859,081808,-,rtmp,rtmp://host/app/,https://host1/script/player.swf,app,1431450624"
| /usr/bin/lognormalizer -r /etc/rsyslog.mmnormalize.rb
[cee at 115 systimelong="1431450624" xapp="app"
creferrer="https://host1/script/player.swf"
suri="rtmp://host/app/" cproto="rtmp" xcomment="-" xctx="081808"
xfilelength="2360.859" xfilesize="133581414" csstreambytes="0"
scstreambytes="0" xspos="0" xstreamid="1" xsname="081808"
xduration="0.084" scbytes="3497" csbytes="3633" cport="-"
cip="clientip" cclientid="1383311350" wtime="13:10:35"
wdate="2015-05-12" xevent="play" xcategory="stream"
xseverity="INFO"][/code:2qz6as4r]
Take a look at the systimelong field which is the last one in the rule. I
changed the rule from %systimelong:word% to %systimelong:number%. This
still works, since its a number, but the output is surrounded in quotes
like a string would be. Can this be an integer or do I need to convert it
back in the template with a property replacer appended to the mmnormalize
field(can I even do that?).
More information about the rsyslog-notify
mailing list