Please ignore comment about missing "host", that entry came from imfile,
local file digest.
// Johan
On Thu, 12 May 2022 at 10:20, Johan Ryberg <jo...@securit.se> wrote:
> Thanks for you reply.
>
> I added ms and that is empty as well
>
> template(name="ms" type="string"
> string="%timereported:1:3:date-subseconds%")
> template(name="new_unix" type="string"
> string="%timereported:::date-unixtimestamp%%$.ms%")
> set $.ms = exec_template("ms");
> if ($.ms == "0") then {
> set $.ms = "000";
> }
> set $.new_unix = exec_template("new_unix");
>
> template(name="blobstorage" type="list" option.jsonf="on") {
> property(outname="timestamp" name="timereported" dateFormat="rfc3339"
> format="jsonf")
> property(outname="unixtime" name="timereported"
> dateFormat="unixtimestamp" format="jsonf")
> property(outname="ms" name="$.ms" format="jsonf")
> property(outname="new_unix" name="$.new_unix" format="jsonf")
> property(outname="host" name="fromhost-ip" format="jsonf")
> property(outname="message" name="rawmsg-after-pri" format="jsonf")
> property(outname="log_id" name="uuid" format="jsonf")
> }
>
> Output: {"timestamp":"2022-05-12T08:13:32.250744+00:00",
> "unixtime":"1652343212", "ms":"", "new_unix":"", "host":"",
> "message":"{\"log\":<redacted>",
> "log_id":"D3E23BB3CAFE4F68BE2AE4804214228D"}
>
> host is also empty, fun part if I move "host" above "ms" then I got values
> for host.
>
> Any clue how to troubleshoot this?
>
> Best regards Johan Ryberg
>
> On Thu, 12 May 2022 at 09:37, Rainer Gerhards <rgerha...@hq.adiscon.com>
> wrote:
>
>> I would suggest to output $.ms as well. Also, simplify the new_unix
>> timeplate to just contain the default timestamp, see if it works and
>> than go from there with more complex processing.
>>
>> all in all, it doesn't look wrong - probably a detail.
>>
>> HTH
>> Rainer
>>
>> El jue, 12 may 2022 a las 9:28, Johan Ryberg via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > Hi,
>> >
>> > Running latest version of rsyslog (8.2204.1)
>> >
>> > I'm trying to create a template that ensures unixtimestamp with
>> > milliseconds.
>> >
>> > This is as far as I got
>> >
>> > template(name="ms" type="string"
>> > string="%timereported:1:3:date-subseconds%")
>> > set $!ms = exec_template("ms");
>> > if ($.ms == "0") then {
>> > set $.ms = "000";
>> > }
>> > template(name="new_unix" type="string"
>> > string="%timereported:::date-unixtimestamp%%$.ms%")
>> > set $!new_unix = exec_template("new_unix");
>> >
>> > template(name="storage" type="list" option.jsonf="on") {
>> > property(outname="timestamp" name="timereported"
>> dateFormat="rfc3339"
>> > format="jsonf")
>> > property(outname="unixtime" name="$!new_unix" format="jsonf")
>> > property(outname="host" name="fromhost-ip" format="jsonf")
>> > property(outname="message" name="rawmsg-after-pri" format="jsonf")
>> > property(outname="log_id" name="uuid" format="jsonf")
>> > }
>> >
>> > Sadly the output of unixtime is always empty, "unixtime": ""
>> >
>> > I would very much appreciate some guidance how to make it work and if
>> > possible, more efficient
>> >
>> > Best regards Johan Ryberg
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
