[syslog-ng] [RFC] value-pairs(), take #3
Gergely Nagy
algernon at balabit.hu
Sun Feb 6 21:32:11 CET 2011
Hi!
Based on the feedback from this list, we've had a little discussion with
Bazsi on how to improve value-pairs(), and we came up with something
that is hopefully more consistent and easier to use than my last
proposal.
The Syntax
==========
We'd have two syntaxes, one for the configuration file itself (usable by
the drivers), and one for template functions (eg, tfjson): they'll share
most properties, the difference will be in how they appear. See the
example below:
config file:
------------
value-pairs(
scope(nv_pairs core syslog all_macros selected_macros everything)
exclude("R_*")
exclude("S_*")
key(".SDATA.meta.sequenceId")
pair("MSGHDR" "$PROGRAM[$PID]: ")
)
template function:
------------------
$(format-json --scope nv_pairs,core,syslog,all_macros,selected_macros,everything \
--exclude R_* --exclude S_* --key .SDATA.meta.sequenceId \
--pair MSGHDR="$PROGRAM[$PID]: ")
Explanation
-----------
The above examples would start with a full set of name-value pairs (due
to having "everything" in the scope; we could start with selected_macros
instead [see below]). The scope can only be extended by subsequent calls
to scope(), but even then, the set will be built only once, at the
beginning. We'll likely end up with throwing a syntax error during parse
if more than one scope() statement is seen, or if it's not the first
statement within value-pairs().
However, explicitly specifying a key-value pair (either via key() or
pairs()) will use the full set, regardless what scope() was selected.
This, however, might change, if people find this too confusing. But
changing this will complicate the code quite a lot, and remove some of
the flexibility.
More information about the syslog-ng
mailing list