[syslog-ng] RFC: value-pairs key rewrite framework, part N+1
Gergely Nagy
algernon at balabit.hu
Sat Nov 5 15:09:33 CET 2011
Balazs Scheidler <bazsi at balabit.hu> writes:
> On Tue, 2011-10-04 at 10:56 +0200, Gergely Nagy wrote:
>> So I came up with a different syntax: wiring rekey into the key() option
>> of value-pairs! That way, we already selected a subset to work on, and
>> the transformations would apply to only those.
>>
>> (This could be combined with the global syntax aswell, though)
>>
>> So it'd look something like this:
>>
>> value-pairs(
>> scope("everything")
>> key(".secevt.*" rekey(add-prefix("events")))
>> key(".classifier.*" rekey(add-prefix("syslog-ng")))
>> key(".sdata.*" rekey(shift(1)))
>> key(".*" rekey(replace ("." "_")))
>> );
Doing this proved to be more difficult than originally anticipated, so I
ended up with something inbetween (which, eventually, will be turned
into the syntax above):
value-pairs(
scope(everything)
rekey(".cee.*"
shift(4)
add-prefix("Events")
replace("Events.move_me_to_the_top" "moved_to_the_top")
)
rekey(".classifier.*" add-prefix("syslog-ng"))
reley(".sdata.*" shift(1))
rekey(".*" replace("." "_"))
);
> We've discussed this IRL and came to the conclusion that it is very
> handy to allow key-rewrite to be applied on a per-glob basis (e.g. to
> associate the rewrite function to the set specified by --key).
This is now (partially) done on my feature/3.4/value-pairs/rekey
branch. Since it's still a work in progress, I'm not including the
merged patches yet, but give a pointer to a diff between 3.4 master and
my branch instead:
https://github.com/algernon/syslog-ng/compare/algernon:upstream/mirror/3.4...algernon:feature/3.4/value-pairs/rekey
> Something along the lines of:
>
> $(format-json --key .cee.* --rewrite replace .cee=Event)
This is not done yet, either. I'll make key() take a glob first, then
proceed with the commandline support.
--
|8]
More information about the syslog-ng
mailing list