[syslog-ng] [RFC]: value_pairs() demo

[Evan Rempel]

> From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely Nagy [algernon at balabit.hu]
> Sent: Saturday, January 29, 2011 6:14 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: [syslog-ng] [RFC]: value_pairs() demo
> 
> [...snip...]
> 
> destination d_mongo {
>   mongodb(
>     value_pairs(builtins(no) select("*") exclude(".classifier.rule_id")
>                 "$HOST" "$MESSAGE"
>                 ("PROGRAM" "$PROGRAM[$PID]") ("TIMESTAMP" "$UNIXTIME"))
>   );
> };
> 
> And this will do exactly what it says: skip builtins, select everything
> that is left, and exclude ".classifier.rule_id" from that, and then add
> a few extra stuff on our own.

I think that the "builtin(no)" option should be abandon in favour of something else.
It is really nothing more than a power-select or power-exclude but it does not
honour the order requirement of the select/exclude options. In the above example
you have excluded the built in macros but then used a select("*") which implies adding
everything back in. If you had done these in the oposite order, what semantic would 
be intended.

It is unclear to me what is defined as a builtin macro and which ones are not.

It is also unclear where the $UNIXTIME came from since it was not shown at all
in the example that apparently incleded everything.

Perhaps just relying on the select/exclude (which should probably be renamed to include/exclude)
would be sufficient since in most cases at least some of the builtin macros will be desired and
like in your example where you included the $HOST and $MESSAGE it would have been almost
as easy to merely exclude the others by name and not use the builtin option at all.

Just my $0.02

Evan Rempel.