[syslog-ng] Rationale for json TAGS not being a json array?

[Gergely Nagy]

Evan Rempel <erempel at uvic.ca> writes:

> Before I report a bug/feature change I would like to ask if there was any reason that
> the JSON output for multi-value items simply joins them with a comma rather than
> turning them into a JSON array.
>
> Most notably the TAGS field is put out by format-json shows something like;
>
> "TAGS": ".source.patterndb,.classifier.cluster,.net.connected"
>
> where these are autopoluated by the patterndb
>
> .source.patterndb,.classifier.cluster
>
> and this one is added by a specific tabs entry in my patterndb.
>
>          <tags>
>            <tag>.net.connect</tag>
>          </tags>

This is because "TAGS" itself is stored like this internally, and the
JSON output doesn't do any post-processing on the values.

It's been on my TODO list for a while, and once the JSON output
understands how to build arrays and nested structures properly (which is
being done as part of a GSoC project this summer, FYI), then we can -
and will - figure something out to handle TAGS sanely, and present them
as arrays when that's the desired format.

How that will be done is another matter, but it's something I need too,
and preferably sooner than later. I'll happily discuss my current ideas
if you're interested, and of course, opinions about the implementation
ideas would be more than welcome too.

-- 
|8]