On Wed, 2010-09-29 at 11:16 -0500, Martin Holste wrote:
This is powerful stuff! I'm really looking forward to exploring all of the ways it can be used. The Postfix usage example is a great one. One clarification: is $sessionid autogenerated by Syslog-NG, or do we have to create it ourselves using tuples from the messages? I'm assuming it'll use something akin to the $SEQNUM macro.
you have to generate it. in the example above I've parsed a value out of the log message as $sessionid, but you can use more complex values like: $HOST:$PID is usually good, but in other cases the log messaeg contains an explicit session id (postfix messageid for example).
One other question, can you join an entire preceding message by using something like ${MSG}@0?
@0 is the current message, but template functions get a chance to do with the complete correlation state, thus $(grep) is iterating over all messages. We do have $(echo) but that's intentionally as simple as possible, it only uses the last message. hmm.. something like $(grep ("a" == "a") $MSG) would do the trick, but may not be the the most intuitive to write. ahh. I've just noted that I didn't blog about $(grep) and $(if), but they certainly do what they imply: $(grep filter template1 template2 template3...) searches for messages in the current correllation state matched by filter expression "filter" and evaluating the templates. $(if filter foo bar) If filter is true results in foo, otherwise bar. Filters got extended too, now you can use simple comparison operators a'la perl: numeric comparison is the same as C (<, <=, ==, >=, >, !=), string comparison is the same as perl: lt, le, eq, ge, gt, ne You can compare templates, e.g. "$FACILITY_NUM" > "5"
If so, it would be great if there were a built-in to say all preceding messages, like ${MSG}@-1 or @ALL or something, but I guess that's getting a little more app-level than I'd prefer.
it depends if you want all name-value pairs, or just a single name-value pair. we just have to come up with names for the various functions. they are all possible and simple to do. -- Bazsi