From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Gergely Nagy [algernon@balabit.hu] Sent: Saturday, January 29, 2011 6:14 AM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] [RFC]: value_pairs() demo
[...snip...]
destination d_mongo { mongodb( value_pairs(builtins(no) select("*") exclude(".classifier.rule_id") "$HOST" "$MESSAGE" ("PROGRAM" "$PROGRAM[$PID]") ("TIMESTAMP" "$UNIXTIME")) ); };
And this will do exactly what it says: skip builtins, select everything that is left, and exclude ".classifier.rule_id" from that, and then add a few extra stuff on our own.
I think that the "builtin(no)" option should be abandon in favour of something else. It is really nothing more than a power-select or power-exclude but it does not honour the order requirement of the select/exclude options. In the above example you have excluded the built in macros but then used a select("*") which implies adding everything back in. If you had done these in the oposite order, what semantic would be intended. It is unclear to me what is defined as a builtin macro and which ones are not. It is also unclear where the $UNIXTIME came from since it was not shown at all in the example that apparently incleded everything. Perhaps just relying on the select/exclude (which should probably be renamed to include/exclude) would be sufficient since in most cases at least some of the builtin macros will be desired and like in your example where you included the $HOST and $MESSAGE it would have been almost as easy to merely exclude the others by name and not use the builtin option at all. Just my $0.02 Evan Rempel.