This way, your collector destination may find a properly json formatted message that it can send out without using a specific template string.rewrite { set("$(format-json --pair newfield=\"value\")" value('MSG')); };I think Fabien is right, but maybe some more hints could help you. So, yes, json-parser() is responsible for parsing messages out-of your log file, it simply sets a number of name-value pairs based on the input.log {source {
file("/var/log/app.log");
};parser { json-parser(); };destination { tcp("logcollector" template(""$(format-json --pair newfield=\"value\")" )); };};If you don't want to specify template towards your log collector explicitly, you can also rewrite the $MSG name-value pair:--
BazsiOn Sun, Sep 4, 2016 at 2:42 AM, Jorge Pereira <jpereiran@gmail.com> wrote:______________________________Hi team,Currently, I receive a jSON log from X, but I would like to append a new field. is it possible?e.g: I am trying to do something like:log {source {file("/var/log/app.jsonlog"program_override("ng_app")follow_freq(1)flags(no-parse)template("$(format-json --pair newfield=\"value\")"););};destination(d_remote_collector); };______________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq