On Thu, May 23, 2013 at 11:42 PM, David Lang <[email protected]> wrote: > On Thu, 23 May 2013, Jacob Steinberger wrote: > > On 5/22/2013 7:20 PM, Jacob Steinberger wrote: >> >>> On 5/22/2013 6:17 PM, David Lang wrote: >>> >>>> On Wed, 22 May 2013, Jacob Steinberger wrote: >>>> >>>> RH6, and their provided v5 rsyslog. >>>>> >>>>> I noticed there is a built in method for CSV parsing, but I'm not >>>>> finding examples of how to use it. Basic idea is that I'm receiving a >>>>> syslog message with a bunch of values in a CSV format ... >>>>> >>>>> 1,2,3,4,,A,B,,,10 >>>>> >>>>> Using the CSV feature, I figured it would be easy to get each of those >>>>> values out for parsing / redirection / logging. >>>>> >>>>> Is there an example that I'm just missing? I'm pretty sure I could use >>>>> the regular expression engine to pull each one out, but that seems >>>>> excessive if rsyslog can do it for me. >>>>> >>>> >>>> I believe that this is something you would need mmlogparse for, and I'm >>>> not sure if that is available in V5 or if it was added later. >>>> >>> >>> >>> Bummer! Guess I get to find out how rsyslog hands large amounts of data >>> while performing a lot of regular expressions on each row ;) >>> >> >> On this train of thought, what I'm looking at doing seems rather >> inefficient. In order to setup an SQL statement, for example, I'm looking >> at an expression like ... >> >> %msg:R,ERE,0,DFLT:([^,]*),([^,**]*),([^,]*),([^,]*),([^,]*),([** >> ^,]*),([^,]*),([^,]*),([^,]*),**([^,]*),([^,]*),([^,]*),([^,]*** >> ),([^,]*),([^,]*),([^,]*)--**end% >> >> So in order to put the SQL template together, I'd be looking at doing >> this 17 times, each with a different #/number/placement in >> %msg:R,ERE,#,DFLT% >> >> Is there a better way? Only other thing that comes to mind is to have >> rsyslog send the data to a mysql procedure that does this, instead of >> having rsyslog handle it. Performance wise, I'd just have to test, test and >> test. >> > > One option you have would be to write a format module that takes the raw > message and formats it into the string you want. Unfortunantly this is > going to be C coding. You would probably be better off upgrading to a newer > rsyslog, there are .rpm packages available. > > as far as I followed the discussion (aka "not very far" ;)), this could be done with field-based extraction. I suggest to have a look at this presentation:
http://de.slideshare.net/rainergerhards1/rsyslog-log-normalization Especially slide 23+, but I'd go through all so that you have the necessary context. It contains actual config samples as well. Note that this is for v7, so outdated versions require either different syntax (but field extraction is supported in legacy templates) or do not support some features at all. HTH Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
