you have to generate it. in the example above I've parsed a value out of the log message as $sessionid, but you can use more complex values like:
Ok, got it.
ahh. I've just noted that I didn't blog about $(grep) and $(if), but they certainly do what they imply:
$(grep filter template1 template2 template3...)
searches for messages in the current correllation state matched by filter expression "filter" and evaluating the templates.
$(if filter foo bar)
Cool!
If filter is true results in foo, otherwise bar.
So, an example statement might be: $(if ${useracct}1 == "?" ${useracct}="unknown" ${useracct}=${useracct} Is that right? I guess I'm not understanding foo and bar in your example.
Filters got extended too, now you can use simple comparison operators a'la perl: numeric comparison is the same as C (<, <=, ==, >=, >, !=), string comparison is the same as perl: lt, le, eq, ge, gt, ne
You can compare templates, e.g. "$FACILITY_NUM" > "5"
Coupled with the inet_aton functionality you've already added, this would mean you could do filtering based on IP ranges, right?