The indexing system I'm writing will work best if it can read in syslog-ng logs as regular files (as opposed to fifos, sockets or SQL). In order to have multiple indexing workers going at the same time, I'm finding it easiest if the output from syslog-ng can be divided into chunks like this:<br>
<br>destination d_file { file("/tmp/slices/$R_UNIXTIME.${.classifier.rule_id}" template(t_db_parsed)); };<br><br>The workers index the chunks as syslog-ng spits them into the slices buffer directory. This works pretty well, but I'm limited to tuning only between one second intervals provided by $R_UNIXTIME, or minute, hour, etc. intervals by concatenating other time macros together. Is there some way I could get syslog-ng to spit out something lke 5 second slices? Also, will syslog-ng know to close the file handle on a log slice when the $R_UNIXTIME second has elapsed?<br>
<br>Thanks,<br><br>Martin<br><br>