[syslog-ng] ReRe: Fields don't appear on kibana.

Fabien Wernli wernli at in2p3.fr
Tue Sep 8 22:37:38 CEST 2015


Hi,

On Fri, Sep 04, 2015 at 08:11:16AM -0700, Evan Rempel wrote:
> For the json parser, I think it would be good to have some kind of option for permitting core macros to be replaced/overwritten.
> In the case of TAGS, which is a little bit special in the json object because it is converted to a string, rather than a json list, it should be appended to.

Just a small addition I though useful in the case of elasticsearch: the fact
that TAGS is a coma separated string is in fact Elasticsearch-friendly: if
you set up a decent analyzer (e.g. the default), tags *will* get tokenized
and split at the coma, so searching for TAGS:foo *will* do what you think.

Of course it would be better to have syslog-ng support real arrays, but I'm
sure that'll come soonish enough.

Cheers



More information about the syslog-ng mailing list