[syslog-ng] [PATCH 2/2] [dbparser] min and max message count condition in correlation actions
Gergely Nagy
algernon at balabit.hu
Fri Nov 16 12:28:05 CET 2012
Gergely Nagy <algernon at balabit.hu> writes:
> Balazs Scheidler <bazsi77 at gmail.com> writes:
>
>> what about introducing a template function that expands to the number
>> of elements in the context?
>
> Mmm... that would require extending LogTemplate, and would also mean we
> have to expand templates in dbparser at action calling time, which
> sounds inefficient to me.
...and I was so very wrong! While not a template function, but something
equally simple was very easy: exporting the context length as the
$CONTEXT_LENGTH variable gets pretty much the same thing done. While
this solution has the side-effect of always adding CONTEXT_LENGTH to a
message when there is a context, it's also a lot lighter than a template
function, in my opinion. (The template function would have to go through
some hoops while getting called, and would need to look up the context
via context_id... a rather long dance)
This means that <action condition='"${CONTEXT_LENGTH}" <= "2"'> works,
and one can use any kind of template function too, so this would work
too:
<action condition='"$(% ${CONTENT_LENGTH} 10)" == "0"'>
I pushed this - and a slightly reworked <message
inherit-properties='TRUE'> patch - to the
feature/3.4/dbparser/corellation-improvements branch, and will merge
them to merge-queue/3.4 shortly.
--
|8]
More information about the syslog-ng
mailing list