[syslog-ng] CSV parser and empty fields

[Bill Anderson]

On Nov 8, 2010, at 7:30 AM, Bill Anderson wrote:

> 
> On Nov 6, 2010, at 1:13 PM, Fekete Róbert wrote:
> 
>> 
>> On Saturday, November 06, 2010 00:40 CET, Matthew Hall <mhall at mhcomputing.net> wrote: 
>> 
>>> I'm surprised it doesn't handle doubled delimiters right.
>>> 
>>> However I am likewise stumped. I can't find any explanation anywhere in 
>>> the Balabit docs which explain what escape-* options do specifically.
>> You´re right, that is missing. I´ll hunt down what they do, and add it to the docs.
>> 
>> @Bill:
>> I can think of two possibilities that might do what you´re looking for:
>> 1. In your template, try to specify a default value for your macros, for example, to specify a dash: 
>> {$APACHE.REFERRER:-}
>> The problem with this is that it might not work - default values probably work only during parsing, and not when the macro is used is a template, but I think it is worth a try. If they were implemented in a universal way, it might work.
> 
> I'm with you in the suspicion it won't work but I'll give it a shot. If it doesn't, I'll go with below for now.

Just to confirm, this did not work. It still wound up with the final field.

> 
>> 
>> 2. In syslog-ng OSE 3.2, you can use template functions and other operators to check and compare macro values. You would need to use the "if" template function to return a dash or other suitable value if your macros are empty (""). So instead of $APACHE.REFERRER, your template would look something like:
>> $(if ("${APACHE.REFERRER}" == "") "-" $APACHE.REFERRER)
> 
> 3.2 isn't an option just yet here, so this won't work. However, it gives me an idea. Perhaps prior to calling the parser I could to a rewrite on "\t\t" to "\t-\t". It feels hackish, but might work as long as the performance impact isn't too bad.


So far this isn't working either.