[syslog-ng] (no subject)
Fabien Wernli
wernli at in2p3.fr
Mon Jul 21 12:46:37 CEST 2014
Hi Radu,
As Bazsi explained, there is currently no array implementation in syslog-ng,
but you can naturally add as many tags to a message as you want.
Now, when including the TAGS macro in a `format-json` statement, you will
end up with a coma-separated field containing all tags.
As it happens, if sent to Elasticsearch, this field will be indexed by
default using a field of type 'string' and the standard 'analyzer'. This
basically means you will be able to search your documents naturally by tag.
So yes, out of the box, you don't need to do anything, just make sure the
TAGS macro is being sent to ES.
If you want to handle space-separated tags or be case-sensitive, you could
define a custom ES analyzer to only tokenize at the comas, etc.
Cheers
More information about the syslog-ng
mailing list