On 18.02.2023 11:45, David Lang wrote:
On Sat, 18 Feb 2023, Mariusz Kruk via rsyslog wrote:
To some extent, it is ;-) But seriously, i terms of event processing
it resembles... awk, for example.
true, but one major thing is that the config is processed in two very
different ways.
Yes, I know. And as I already wrote - I thought so but wanted to be 110%
sure. :-)
Actually I'm not trying to create lookups, I have them. I was just
thinking if there was any way to simplify managing my config a bit.
I have a multi-layered setup routing events from several environments
into different solutions. And I have lookups defining what goes
where. For now for each environment I simply define a lookup file
with additional config snippet loading the lookup definition.
So I have many small .conf files containing something like:
lookup_table(name="template-ip-dest"
file="/etc/rsyslog.d/lookups.d/template/ip-dest.json" reloadOnHUP="on")
And each file has "template" substituted with a proper environment name.
If I add a new environment, I add a new json file with the lookup
contents and a new .conf file for loading said lookup.
It's just that if I was able to do something like (pseudocode)
for A in (env1,env2,env3...) do lookup_table(name=$A & "-ip-dest"
file="/etc/rsyslog.d/lookups.d/" & $A &"/ip-dest.json" reloadOnHUP="on")
that would make my life a bit easier.
But yes, I admit that my use case is very unusual so I didn't expect
such functionality to exist really. As I already said - I just wanted
to be 100% sure I hadn't missed it in case it existed after all.
the lookup table functionality is extremely scalable (I did a test
with over 1400 parsing rules at one point, and the best-to-worst case
match was a 30% lookup difference)
I have around 3800 entries in three types of lookups (almost 160 files
altogether). But it's not as much about scalability, as about
maintainability. I could rework my config to fit "everything" into a
single lookup (or at least just a few of them) but it would be much more
painful to maintain such config. So in this case I'm much more
comfortable with many small lookups. It's just that once in a while if I
add new environment I have to add this new definition of a lookup or
two. Again - it's mostly a convenience thing. It would be easier if it
"happened by itself" but I won't cry if it doesn't ;-)
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
