Multi-value N=V are evil. They kill log parsers and RDBMS :-) We did think a lot about this conundrum of src_IP="10.10.1.2,10.10.1.3" and might well recommend that it never happens. If we have to deaggregate logs (thus exploding the volume) the whole thing would be a mess...
Yes, they are evil. I was re-reading the recent thread "[syslog-ng] [announce] patterndb project," and I think we were in agreement that tags are still a good thing, though. So, how do we store the multi-value N=V but also have the flexibility of tags? My thought is maybe we go with a "primary" tag which is the class, and then the <tags> can be output via macro $TAG. ($TAG will contain all values in <tags>, right?) So for the macro-based file name, you would only use file("/var/log/messages.${.classifier.class}.log") and do your tag grepping normally, where classifier.class would be the primary tag. I think this would work out better in the long run than trying to concatenate tags for the class, because keeping track of the order would be complicated, and it would definitely be better than sticking to the logcheck's very limited range of class selections.