Chris Johnson <masterof0@gmail.com> writes:
Based on the following structured syslog, I am trying to extract the reason from the SDATA portion of the log.
2012-02-05T16:24:45.368 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason=\”unset\” ]
Problem I think I am running into is the value-pair that I am trying to extract includes the dots so the parser thinks its nested information
destination d_mongodb { mongodb( value-pairs( scope("everything") key(".SDATA.junos@2636.1.1.1.2.36.reason") ) ); };
Thoughts? Any help is greatly appreciated.
I just tried this with syslog-ng 3.4, without the key() (because scope("everything") already includes the key), and the reason ended up like this:
db.messages.find({}, {_SDATA: 1, _id: 0}) { "_SDATA" : { "junos@2636" : { "1" : { "1" : { "1" : { "2" : { "36" : { "reason" : "unset" } } } } } } } }
This does look awkward, indeed. If you just want the reason, with a better key name, then the best you can do at the moment is to use something like the following: value-pairs ( pair("SDATA.junos@2636-1-1-1-2-36.reason", "${.SDATA.junos@2636.1.1.1.2.36.reason}") scope("base") ); The same should work in 3.3, too. If it doesn't, then I screwed something up terribly. Nevertheless, an easy way to replace recurring patterns in a value-pair key name would be neat, and would fit into the key rewrite feature already in 3.4... I'll think about this a little more. -- |8]