[syslog-ng] patterndb and context - access fields from initial message

[Atom2]

Am 08.07.14 18:02, schrieb Tusa Viktor:
> Hi!
>
> I think, the negative notation could solve this situation eg.: $MACRO at -N
> would mean the first Nth message in the context and not the last Nth. I
> checked the code and it is not terrible hard to implement. I can make a
> PoC for you in the next week, if you would like to test it.
>
> Regards,
> Viktor
Thanks Victor,
that sounds like a very promising solution and I am more than happy to 
test it. Auto-applying a patch to my 3.4.7 version is not really hard as 
I use gentoo and its emerge system to re-install ebuilds is very 
flexible given that gentoo is a source based distribution. The only 
thing is that I would prefer to stick to version 3.4.7 for my testst as 
this is the latest stable version available for gentoo. I hope that also 
works out for you.

I am looking forward to your patch whenever you have a chance to make it 
happen.

Many thanks

Atom2

>
>
> On Tue, Jul 8, 2014 at 11:54 AM, Fabien Wernli <wernli at in2p3.fr
> <mailto:wernli at in2p3.fr>> wrote:
>
>     Hi,
>
>     I'm AFK for a while but did you check out the `grep` template function?
>
Thanks Fabien,
I haven't checked your suggested grep template function yet and to be 
honest, up to your kind suggestion, I was not even aware of any such 
tenplate.
Having looked at the documentation and assuming that I have fully 
understood it, I am however not sure whether it would be the best 
solution for at least the following two reasons:
1) I guess it might not be very efficient for a largish contexts as grep 
needs to search through all messages within the context which might be 
processing intensive and
2) If the same named macro is available in more than one message within 
the context (which is the case in my patterndb), I would get a 
comma-seperated list of (identical) values which would require further 
processing to extract only one of the values delivered by the tempate. I 
am sure that could somehow be sorted, but Victor's extension described 
above seems to be easier on the outset and it might also be of interest 
to others.

Having said that, your approach is really creative and I have learned 
something new. Many thanks for that.

Atom2


>     Cheers
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>