<div dir="ltr"><div><div><div>Hi,<br><br></div>format-json uses the value-pairs syntax, and I agree that the docs is not very clear on that. Here's the right section:<br><br><a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#options-value-pairs">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#options-value-pairs</a><br><br><br> You can rename stuff using the --pair argument:<br><br></div><span style="font-family:monospace,monospace">$(format-json --pair name=$VALUE<br></span><br></div><div>macro resolution is possible after the equal sign, in fact it is a complete template, that may again contain template functions and such. You might even be interested in rekey() where you can apply simple transformation on<br></div><div>key names automatically:<br><br><pre style class=""><span class="">$</span><span class="">(</span><span class="">format</span><span class="">-</span><span class="">json </span><span class="">--</span><span class="">rekey </span><span class="">.</span><span class="">cee</span><span class="">.*</span><span class=""> </span><span class="">--</span><span class="">add</span><span class="">-</span><span class="">prefix events</span><span class="">.)<br><br></span></pre>Hope this helps,<br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Wed, Jan 28, 2015 at 10:02 AM, Daniel Neubacher <span dir="ltr"><<a href="mailto:daniel.neubacher@xing.com" target="_blank">daniel.neubacher@xing.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="DE">
<div>
<p class="MsoNormal"><span lang="EN-US">Hey there,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">right now I’m playing around with different json shippers for log files and I’m a bit lost with syslog-ng. I’ve read the docs but I still don’t know how to change the json Fields syslog-ng sends out. In order to get my
new Installation approved I have to keep the old field names in mind, for example syslog sends out HOST_FROM but I need source_host. Right now logstash/mutate does the renaming but I don’t like to waste performance there.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">My destination:<u></u><u></u></span></p>
<p><span lang="EN-US">destination d_logstash_syslog_syslog_new {tcp("consumer.foo.bar" port(6002) template("$(format-json --scope selected_macros --scope nv_pairs)\n") );};<u></u><u></u></span></p>
<p><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks in advance<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></span></p><span class="HOEnZb"><font color="#888888">
<p class="MsoNormal"><span lang="EN-US">Daniel<u></u><u></u></span></p>
</font></span></div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>