Hi Fabien,

Thanks for you input. I didn't know about the fact that you end up with a comma-separated list of tags.

The thing is, in Logsene we currently keep tags not analyzed for two reasons:

- let users do exact matches, especially for multi-word tags like "user error"

- be able to run a terms aggregation on them and show the available tags

An array there would meet our requirements. But I will think about what you suggested and maybe find a good compromise.

Thanks again!

Best regards,

Radu

Performance Monitoring * Log Analytics * Search Analytics

Solr & Elasticsearch Support * http://sematext.com/

On Mon, Jul 21, 2014 at 1:46 PM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi Radu,

As Bazsi explained, there is currently no array implementation in syslog-ng,
but you can naturally add as many tags to a message as you want.

Now, when including the TAGS macro in a `format-json` statement, you will
end up with a coma-separated field containing all tags.

As it happens, if sent to Elasticsearch, this field will be indexed by
default using a field of type 'string' and the standard 'analyzer'. This
basically means you will be able to search your documents naturally by tag.

So yes, out of the box, you don't need to do anything, just make sure the
TAGS macro is being sent to ES.

If you want to handle space-separated tags or be case-sensitive, you could
define a custom ES analyzer to only tokenize at the comas, etc.

Cheers

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq