davidelang
commented
6 years ago Say you have the log entry
David opened the blue door at timestamp
you parse this with rule-:%name:word% opened the %door:word% at %time:timestamp%
by default with the path set to $!, this will result in the variables
$!name="David" $!door="blue" $!timestamp=timestamp
if you set path = $.foo, then the resulting variables would be
$.foo!name="David" $.foo!door="blue" $.foo!timestamp=timestamp
this prevents these from overwriting any variables that may have existed under thease names.
does this clarify it for you?
jbyers-suse
I read the explanation provided in the rsyslog mmnormalize documentation [1]
path [word], defaults to "$!" Specifies the JSON path under which parsed elements should be placed. By default, all parsed properties are merged into root of message properties. You can place them under a subtree, instead. You can place them in local variables, also, by setting path="$.".
I'm looking for some examples of setting the local path variables for the parsed elements from a custom application event log?. Should I list the parsed property names from the rulebase prepended with $! as an example then reference the same property names in a new rsyslog template for processing into another source such as elasticsearch?
Here is the relevant section of the rsyslog configuration
module(load="imfile") input(type="imfile" File="(path to custom application log file)" Tag="app:"
module(load="mmnormalize") action(type="mmnormalize" rulebase="/opt/customapp.rb"
I'll provide the contents of the rulebase that I configured if needed.
Thank you. I appreciate any advice/suggestions/feedback. [1] https://www.rsyslog.com/doc/mmnormalize.html****