[syslog-ng] (no subject)

Mon Jul 21 13:50:58 CEST 2014

Hi Fabien,

Thanks for you input. I didn't know about the fact that you end up with a
comma-separated list of tags.

The thing is, in Logsene we currently keep tags not analyzed for two
reasons:
- let users do exact matches, especially for multi-word tags like "user
error"
- be able to run a terms aggregation on them and show the available tags

An array there would meet our requirements. But I will think about what you
suggested and maybe find a good compromise.

Thanks again!

Best regards,
Radu
--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/

On Mon, Jul 21, 2014 at 1:46 PM, Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi Radu,
>
> As Bazsi explained, there is currently no array implementation in
> syslog-ng,
> but you can naturally add as many tags to a message as you want.
>
> Now, when including the TAGS macro in a `format-json` statement, you will
> end up with a coma-separated field containing all tags.
>
> As it happens, if sent to Elasticsearch, this field will be indexed by
> default using a field of type 'string' and the standard 'analyzer'. This
> basically means you will be able to search your documents naturally by tag.
>
> So yes, out of the box, you don't need to do anything, just make sure the
> TAGS macro is being sent to ES.
>
> If you want to handle space-separated tags or be case-sensitive, you could
> define a custom ES analyzer to only tokenize at the comas, etc.
>
> Cheers
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140721/25bb5699/attachment.htm 