[syslog-ng] Requesting help with Grouping-by function
Fabien Wernli
wernli at in2p3.fr
Tue Nov 3 12:05:34 UTC 2020
Hi Maciek,
On Tue, Nov 03, 2020 at 12:24:40PM +0100, Maciek Solnicki wrote:
> * destination {*
> * file('/tmp/test.json' template("$(format-json .auditd.*)\n"));*
> * };*
> *};*
This means you're outputting the contents of all `.auditd.` macros to file
test.json.
But your grouping-by parser generates a message with the macro MESSAGE set
to the value "TEST" :
> * grouping-by(*
> * key("${.auditd.msg}")*
> * timeout(10)*
> * aggregate(value("MESSAGE" "TEST"))*
> * );*
So you won't see it in test.json.
Well, more exactly you should see it as the default value of
aggregate(inherit-mode()) is "context", but you won't see the MESSAGE:TEST
macro as you're omitting it from your output.
I'm guessing you should see a message twice in that case.
More information about the syslog-ng
mailing list