<div dir="ltr">Thanks so much, appreciate your help!</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<div>Jorge Pereira</div></div></div></div>
<br><div class="gmail_quote">On Mon, Sep 5, 2016 at 7:44 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I think Fabien is right, but maybe some more hints could help you. So, yes, json-parser() is responsible for parsing messages out-of your log file, it simply sets a number of name-value pairs based on the input.<br><br></div><div>log {<br></div><div> source {<br> file("/var/log/app.log");<br> };<br></div><div> parser { json-parser(); };<br></div><div> destination { tcp("logcollector" template("<font color="#000000"><span style="font-size:12.8px">"$(format-json --<wbr>pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)">)); };<br></span></div><div><br></div><div>};<br></div><div><br></div>If you don't want to specify template towards your log collector explicitly, you can also rewrite the $MSG name-value pair:<br><br></div>rewrite { set(<font color="#000000"><span style="font-size:12.8px">"$(format-json --pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)"> value('MSG')); };<br><br></span></div><span style="font-size:12.8px;color:rgb(0,0,0)">This way, your collector destination may find a properly json formatted message that it can send out without using a specific template string.<span class="HOEnZb"><font color="#888888"><br></font></span></span><span class="HOEnZb"><font color="#888888"><div><div><div><br></div></div></div></font></span></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br></font></span><div class="gmail_quote"><div><div class="h5">On Sun, Sep 4, 2016 at 2:42 AM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><span><span style="color:rgb(0,0,0);font-size:12.8px">Hi team,</span><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px"> Currently, I receive a jSON log from X, but I would like to append a new field. is it possible?</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div></span><div style="color:rgb(0,0,0);font-size:12.8px">e.g: I am trying to do something like:</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div><div><font color="#000000"><span style="font-size:12.8px">log {</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> source {</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> file("/var/log/app.jsonlog"</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> program_override("ng_app")</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> follow_freq(1)</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> flags(no-parse)</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> template("$(format-json --pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)">);</span></div><div><font color="#000000"><span style="font-size:12.8px"> );</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> };</span></font></div><div><br></div><div><font color="#000000"><span style="font-size:12.8px"> destination(d_remote_collector<wbr>);</span></font></div><div><font color="#000000"><span style="font-size:12.8px">};</span></font></div></div></div>
<br></div></div><span class="">______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></span></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>