value-pairs( scope(selected_macros nv_pairs) select(.*) select("usracct.*") select("secevt.*") select(".SDATA.*") exclude("*") key("SEVERITY") key("HOST") key("PROGRAM") key("PID") key("MSG") key("TAGS") pair("timestamp" "$UNIXTIME") );
I think I've realized why I have so much trouble with the meaning of this stanza. I think that you are approaching this as a filter of the keys. When doing this the first filter that "matches" the key is the one that actually determines if the key is included or not. I approach this as a set theory specification. In set theory, it is the last item that determines if a key is included. Both are equally flexible and non-ambiguous. My preference for this type of task is to use set theory. I view this as building a set of keys to place into the output template. I find the following a lot more intuitive. value-pairs( scope(selected_macros nv_pairs) exclude("*") select("secevt.*") select("usracct.*") select(.*) key("SEVERITY") key("HOST") key("PROGRAM") key("PID") key("MSG") key("TAGS") pair("timestamp" "$UNIXTIME") ); select(".SDATA.*") isn't needed because it matches the select(.*) anyway. This would mean - exclude everything, then add back in the secevt.* and usracct.* and .* This method is even more obvious when you match subgroups value-pairs( scope(selected_macros nv_pairs) exclude("*") select("secevt.*") select("usracct.*") exclude("usr.acct.*.something") select(.*) key("SEVERITY") key("HOST") key("PROGRAM") key("PID") key("MSG") key("TAGS") pair("timestamp" "$UNIXTIME") ); If you opt for the filter approach then the docs will have to be clear in stating that the select and include are final filters. selects or excludes following will have no affect. -- Evan