Thank you, I did not realize that either. I know if/else is certainly less confusing and more intuitive. I will take a look at the gist. I’m still interested in how it would work. I had already decided to stick with if/else because the sysadmins who will have to maintain this don’t spend a lot of time in syslog-ng, I’m probably now the syslog-ng expert for my team, and I hardly know how to use it compared to I'm sure most of you. Most of our systems have rsyslog on them and even then we mostly use the stock configuration unless someone needs something special, which is rare. However, we have a bunch of splunk log aggregators and the admins for splunk are requesting syslog-ng specifically and are wanting to do some very custom filtering into folders so that they more easily index it on their end. I don’t think their requests exactly align with splunk best practices but it isn’t my call. Other than myself, the next time someone touches these configuration files they will likely have little knowledge of syslog-ng, so I have to make it as easy as possible to understand. -Mark From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Péter, Kókai Sent: Wednesday, March 27, 2019 3:03 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Convert if/else to nested log paths Hello, I want to emphasise that the *if* is a superior solution. Here is a gist just for your academic exercise: https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_Kokan_6... -- Kokan On Tue, Mar 26, 2019 at 8:45 PM Faine, Mark R. (MSFC-IS40)[NICS] <mailto:mark.faine@nasa.gov> wrote: What is the conversion of an if/else to embedded log path statements? I tried to do this today and didn't have any luck so I reverted back to if/else. I have a log statement with a series of if/else blocks: log { source(pan_splunk); if { filter { host("^[a-z]+\.foo.*$") or netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.100_32&d=DwMFa...') or netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.101_32-27&d=Dw...); }; rewrite { set("foo" value("location")); }; } elif { filter { host("^[a-z]+\.bar.*$") or netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.102_32&d=DwMFa...') or netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.103_32-27&d=Dw...); }; } else { rewrite { set("unknown" value("location")); }; } Can this be written with embedded log statements? The if/else blocks are working for me so this is just an academic exercise but I'd really like to understand how to do it with embedded log paths. Thanks, -Mark ______________________________________________________________________________ Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailma... Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_... FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_sys...