On Fri, Oct 15, 2010 at 12:48:14PM -0600, Bill Anderson wrote:
I have hostnames of the format xxxx# such as host1, hostb1, hostc1. I need to split that into two fields such as (host,1).
Unfortunately, since @@ escapes the @ and STRING and it's followers ALSO match digits, I've not found the obvious means to get that out. Conceptually something like @LETTER:host.name@@NUMBER:host.id@ woudl do it, save that LETTER doesn't exist and @@ escapes.
I think you can get around @@ escapes by adding extra @'s. ;-) Too bad LETTER doesn't exist yet. Man I wish it did for some of the @#$%^&* @#$% I have to parse.
The end goal is as follows (pseudo-code): I need to have a destination for each (HOST). For example all files from hosta## go to /var/log/hosta/ and entries for hostb## go to /var/log/hostb/
Goal makes sense for a big server farm. Crazy idea. Depending how your IP subnets are set up... could you break the host IPs into pieces using '.' and direct the logs where they need to go using the IP?
I suppose I *might* be able to do a rewrite to add say, a hyphen, and then use csv-parser, but we're talking some heavy traffic and I suspect that doing rewrites on that much traffic would be a performance killer.
Can you try the rewrite on a second syslog-ng receiving a relayed copy of the traffic using AF_UNIX SOCK_DGRAM also known as unix-dgram driver? That way if it has disastrous side effects you could find out without causing outages in your primary syslog-ng. I often use this sort of approach for testing crazy ideas.
I'm open to suggestions (that don't involve changing server names, preferably ;) ) as to how to accomplish this.
Let's keep working on it until we come up with a good idea. There has to be some way to make it happen.
Cheers, Bill
Regards, Matthew Hall.