[syslog-ng] CSV parser and empty fields
Bill Anderson
Bill.Anderson at bodybuilding.com
Mon Nov 8 15:30:20 CET 2010
On Nov 6, 2010, at 1:13 PM, Fekete Róbert wrote:
>
> On Saturday, November 06, 2010 00:40 CET, Matthew Hall <mhall at mhcomputing.net> wrote:
>
>> I'm surprised it doesn't handle doubled delimiters right.
>>
>> However I am likewise stumped. I can't find any explanation anywhere in
>> the Balabit docs which explain what escape-* options do specifically.
> You´re right, that is missing. I´ll hunt down what they do, and add it to the docs.
>
> @Bill:
> I can think of two possibilities that might do what you´re looking for:
> 1. In your template, try to specify a default value for your macros, for example, to specify a dash:
> {$APACHE.REFERRER:-}
> The problem with this is that it might not work - default values probably work only during parsing, and not when the macro is used is a template, but I think it is worth a try. If they were implemented in a universal way, it might work.
I'm with you in the suspicion it won't work but I'll give it a shot. If it doesn't, I'll go with below for now.
>
> 2. In syslog-ng OSE 3.2, you can use template functions and other operators to check and compare macro values. You would need to use the "if" template function to return a dash or other suitable value if your macros are empty (""). So instead of $APACHE.REFERRER, your template would look something like:
> $(if ("${APACHE.REFERRER}" == "") "-" $APACHE.REFERRER)
3.2 isn't an option just yet here, so this won't work. However, it gives me an idea. Perhaps prior to calling the parser I could to a rewrite on "\t\t" to "\t-\t". It feels hackish, but might work as long as the performance impact isn't too bad.
Ultimately though, the parser needs to not "skip" empty-value fields.
Cheers,
Bill
More information about the syslog-ng
mailing list