[syslog-ng] [RFC] value-pairs(), take #3
Evan Rempel
erempel at uvic.ca
Mon Feb 7 17:54:46 CET 2011
>
> value-pairs(
> scope(selected_macros nv_pairs)
> select(.*)
> select("usracct.*")
> select("secevt.*")
> select(".SDATA.*")
> exclude("*")
> key("SEVERITY") key("HOST") key("PROGRAM") key("PID")
> key("MSG") key("TAGS")
> pair("timestamp" "$UNIXTIME")
> );
I think I've realized why I have so much trouble with the meaning of
this stanza.
I think that you are approaching this as a filter of the keys.
When doing this the first filter that "matches" the key is the one that
actually determines if the key is included or not.
I approach this as a set theory specification. In set theory, it is
the last item that determines if a key is included.
Both are equally flexible and non-ambiguous. My preference for this
type of task is to use set theory. I view this as building a set of
keys to place into the output template.
I find the following a lot more intuitive.
value-pairs(
scope(selected_macros nv_pairs)
exclude("*")
select("secevt.*")
select("usracct.*")
select(.*)
key("SEVERITY") key("HOST") key("PROGRAM") key("PID")
key("MSG") key("TAGS")
pair("timestamp" "$UNIXTIME")
);
select(".SDATA.*") isn't needed because it matches the select(.*) anyway.
This would mean
- exclude everything, then add back in the secevt.* and usracct.* and .*
This method is even more obvious when you match subgroups
value-pairs(
scope(selected_macros nv_pairs)
exclude("*")
select("secevt.*")
select("usracct.*")
exclude("usr.acct.*.something")
select(.*)
key("SEVERITY") key("HOST") key("PROGRAM") key("PID")
key("MSG") key("TAGS")
pair("timestamp" "$UNIXTIME")
);
If you opt for the filter approach then the docs will have to be clear in stating that the
select and include are final filters. selects or excludes following will have no affect.
--
Evan
More information about the syslog-ng
mailing list