[syslog-ng] CSV parser and empty fields

Fekete Róbert frobert at balabit.hu
Sat Nov 6 20:13:57 CET 2010 

 
On Saturday, November 06, 2010 00:40 CET, Matthew Hall <mhall at mhcomputing.net> wrote: 
 
> I'm surprised it doesn't handle doubled delimiters right.
> 
> However I am likewise stumped. I can't find any explanation anywhere in 
> the Balabit docs which explain what escape-* options do specifically.
You´re right, that is missing. I´ll hunt down what they do, and add it to the docs.

@Bill:
I can think of two possibilities that might do what you´re looking for:
1. In your template, try to specify a default value for your macros, for example, to specify a dash: 
{$APACHE.REFERRER:-}
The problem with this is that it might not work - default values probably work only during parsing, and not when the macro is used is a template, but I think it is worth a try. If they were implemented in a universal way, it might work.

2. In syslog-ng OSE 3.2, you can use template functions and other operators to check and compare macro values. You would need to use the "if" template function to return a dash or other suitable value if your macros are empty (""). So instead of $APACHE.REFERRER, your template would look something like:
$(if ("${APACHE.REFERRER}" == "") "-" $APACHE.REFERRER)

See http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/reference-template-functions.html
and 
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/filters-comparing.html
for details.

Regards, 

Robert

> 
> I guess reading the code is the only option for now. :/
> 
> On Fri, Nov 05, 2010 at 05:26:38PM -0600, Bill Anderson wrote:
> > Thanks for your reply, Mathew. Perhaps I wasn't clear enough. The 
> > syslog-ng produced logfile that logs $MSG is *just fine*. The tabs are 
> > there, and anything that parses it and expects the fields gets them 
> > just fine. The problem arises when the template only needs to log 
> > fields from the csv parser and a preceding field is empty. If there 
> > are any flags on that page that affect how the csv-parser handles 
> > empty fields, I'd appreciate them being pointed out, as I didn't see 
> > any.
> > 
> > Cheers,
> > Bill
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list