<div dir="ltr"><div>Hi,<br><br></div>This article discusses parsing plus elastic, albeit it does use db-parser() for the parsing piece, where you probably want to use kv-parser() as Fabien has mentioned.<br><div><div><br><a href="https://www.balabit.com/blog/how-to-parse-data-with-syslog-ng-store-in-elasticsearch-and-analyze-with-kibana/">https://www.balabit.com/blog/how-to-parse-data-with-syslog-ng-store-in-elasticsearch-and-analyze-with-kibana/</a><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Wed, Dec 21, 2016 at 12:52 PM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Tim,<br>
<span class=""><br>
On Wed, Dec 21, 2016 at 11:47:46AM +0000, Jentz, Tim wrote:<br>
> I thought the nv-pairs scope would do the trick but it doesn't seem to have any effect on the message. Any idea what I'm doing wrong here or can syslog-ng not accomplish what I want to do at all?<br>
<br>
</span>No, the `format-json()` function will merely generate JSON for all the<br>
syslog-ng macros, e.g. MESSAGE. But your key=value stings are inside the<br>
MESSAGE macro, and for them to be extracted you need to parse the content of<br>
MESSAGE.<br>
<br>
Luckily for you there's the `kv-parser()` which will do just that:<br>
<br>
<a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/key-value-parser.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-ose-<wbr>latest-guides/en/syslog-ng-<wbr>ose-guide-admin/html/key-<wbr>value-parser.html</a><br>
<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>