Hi, On Fri, Sep 04, 2015 at 08:11:16AM -0700, Evan Rempel wrote:
For the json parser, I think it would be good to have some kind of option for permitting core macros to be replaced/overwritten. In the case of TAGS, which is a little bit special in the json object because it is converted to a string, rather than a json list, it should be appended to.
Just a small addition I though useful in the case of elasticsearch: the fact that TAGS is a coma separated string is in fact Elasticsearch-friendly: if you set up a decent analyzer (e.g. the default), tags *will* get tokenized and split at the coma, so searching for TAGS:foo *will* do what you think. Of course it would be better to have syslog-ng support real arrays, but I'm sure that'll come soonish enough. Cheers