On Thu, 2012-02-02 at 08:36 -0800, Evan Rempel wrote:
I would like the ability to specify a template that a parser database can take. In my particular case, I want to apply tags to messages that match a combination of $HOST, $PROGRAM, $INSTANCE where $INSTANCE is something parsed out of the message from a previous parser.
To do this right now, I have to use the "rewrite" functionality to rewrite "SAVEMESSAGE" to the current $MESSAGE, then rewrite the MESSAGE to "$HOST $PROGRAM $INSTANCE", run the parser on this to add the tags and then rewrite MESSAGE back to $SAVEMESSAGE ....
or at least I think that would work and is the only way to do this right now.
By specifying a template for the parser, I can leverage the patterndb for any data, including previously parsed fields from a previous parser.
Right now this is not possible, however this is the next item on my todo list. I'd like to convert the db-parser() database to allow matching on any of the fields. -- Bazsi