Hi Mariusz! I'd suggest you try with mmfields first ( https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmfields.html). If no luck then I'd go for mmnormalize.
This way you can extract all the fields required and then use a template to put just fields you need back into a message. I guess this is the only way to do it properly w/o any side effects. On Wed, 15 Feb 2023 at 19:36, Mariusz Kruk via rsyslog < rsyslog@lists.adiscon.com> wrote: > I have a misbehaving source which is sending a non-compliant CEF events. > The events have an extra field where it shouldn't and therefore the > events get misinterpreted further down the pipeline. > > So the question is - what is the most "rsyslog-way" to delete a single > pipe-delimited field from the middle of the event. > > The event typically looks this way: > > <PRI>Date time host > > CEF:0|Company|Product|Version|Module|extra_field|alert|priority|extended_part > > I want to cut the extra_field away. > > Since the fields are pipe-delimited, it's tempting to use field() but > there are two problems with this approach: > > 1. As far as I remember, you can't return a set of fields with field(). > Just a single field. So I'd have to iterate over some counter and > assemble the resulting event from single fields. Not very nice. > > 2. If the extended_part contained by any chance a pipe character, it > would cut tha part short. So I can't even make a static list of field to > iterate over but I'd have to find how many fields are there. Even uglier. > > The other approach I could consider is obviously re_match(). It seems > simpler in terms of the idea but regex (and I think I'd need to call it > twice to match both sides of the field I want to cut) seems a bit heavy > performancewise for such a small task. > > Any better ideas? > > MK > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Yury Bushmelev _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
