Mailing List Archive

field.number as a range
Hello,

I've scoured the documentation, but I don't see a way with
'field.number' to specify a range of fields, particularly the ability to
specify the limit as last item.

For example, to include all fields from number 4 and all following
fields, maybe the syntax would be:

field.number="4:0" or maybe "4:-1".

That doesn't work, of course.

Am I simply not finding the documentation for the field.*-related syntax
to make that work, or are the regex.* handlers the only way to do that?

Processing with the field.* handlers would be faster.

Thanks for any help.

Brian
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: field.number as a range [ In reply to ]
If you're talking about the field() function, there's only a single
field extraction and there's no negative addressing (which is a bit sad
sometimes but I can do my walkarounds ;-)).


On 12.05.2022 00:38, Brian C. Hill via rsyslog wrote:
> Hello,
>
> I've scoured the documentation, but I don't see a way with
> 'field.number' to specify a range of fields, particularly the ability
> to specify the limit as last item.
>
> For example, to include all fields from number 4 and all following
> fields, maybe the syntax would be:
>
> field.number="4:0" or maybe "4:-1".
>
> That doesn't work, of course.
>
> Am I simply not finding the documentation for the field.*-related
> syntax to make that work, or are the regex.* handlers the only way to
> do that?
>
> Processing with the field.* handlers would be faster.
>
> Thanks for any help.
>
> Brian
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: field.number as a range [ In reply to ]
Hi Mariusz,

Thanks for the follow-up.

Would you handle this with regex, or is there some other way

Brian

On 5/11/22 11:55 PM, Mariusz Kruk via rsyslog wrote:
> If you're talking about the field() function, there's only a single
> field extraction and there's no negative addressing (which is a bit
> sad sometimes but I can do my walkarounds ;-)).
>
>
> On 12.05.2022 00:38, Brian C. Hill via rsyslog wrote:
>> Hello,
>>
>> I've scoured the documentation, but I don't see a way with
>> 'field.number' to specify a range of fields, particularly the ability
>> to specify the limit as last item.
>>
>> For example, to include all fields from number 4 and all following
>> fields, maybe the syntax would be:
>>
>> field.number="4:0" or maybe "4:-1".
>>
>> That doesn't work, of course.
>>
>> Am I simply not finding the documentation for the field.*-related
>> syntax to make that work, or are the regex.* handlers the only way to
>> do that?
>>
>> Processing with the field.* handlers would be faster.
>>
>> Thanks for any help.
>>
>> Brian
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: field.number as a range [ In reply to ]
One possible solution is of course to use regex.

The other one is to recursively (there is no "normal" for in
Rainerscript; just foreach) strip parts from the original string and
manipulate the destination string based on that. But both solutions are
kinda... slow.

And I think the regex solution is faster. I use the "stripping" approach
since I have to do something for each part of the split string so I'd
have to do it anyway.

On 12.05.2022 18:59, Brian C. Hill via rsyslog wrote:
> Hi Mariusz,
>
> Thanks for the follow-up.
>
> Would you handle this with regex, or is there some other way
>
> Brian
>
> On 5/11/22 11:55 PM, Mariusz Kruk via rsyslog wrote:
>> If you're talking about the field() function, there's only a single
>> field extraction and there's no negative addressing (which is a bit
>> sad sometimes but I can do my walkarounds ;-)).
>>
>>
>> On 12.05.2022 00:38, Brian C. Hill via rsyslog wrote:
>>> Hello,
>>>
>>> I've scoured the documentation, but I don't see a way with
>>> 'field.number' to specify a range of fields, particularly the
>>> ability to specify the limit as last item.
>>>
>>> For example, to include all fields from number 4 and all following
>>> fields, maybe the syntax would be:
>>>
>>> field.number="4:0" or maybe "4:-1".
>>>
>>> That doesn't work, of course.
>>>
>>> Am I simply not finding the documentation for the field.*-related
>>> syntax to make that work, or are the regex.* handlers the only way
>>> to do that?
>>>
>>> Processing with the field.* handlers would be faster.
>>>
>>> Thanks for any help.
>>>
>>> Brian
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: field.number as a range [ In reply to ]
Hello!

If you need multiple fields and those are single-char-separated then using
mmfields action might be more profitable:
https://www.rsyslog.com/doc/master/configuration/modules/mmfields.html.

In more complicated case I'd suggest to engage mmnormalize instead:
https://www.rsyslog.com/doc/master/configuration/modules/mmnormalize.html

Then you can manipulate the resulting JSON object to strip fields you don't
want to keep or to choose fields you'd like to keep.


On Fri, 13 May 2022 at 00:59, Brian C. Hill via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Hi Mariusz,
>
> Thanks for the follow-up.
>
> Would you handle this with regex, or is there some other way
>
> Brian
>
> On 5/11/22 11:55 PM, Mariusz Kruk via rsyslog wrote:
> > If you're talking about the field() function, there's only a single
> > field extraction and there's no negative addressing (which is a bit
> > sad sometimes but I can do my walkarounds ;-)).
> >
> >
> > On 12.05.2022 00:38, Brian C. Hill via rsyslog wrote:
> >> Hello,
> >>
> >> I've scoured the documentation, but I don't see a way with
> >> 'field.number' to specify a range of fields, particularly the ability
> >> to specify the limit as last item.
> >>
> >> For example, to include all fields from number 4 and all following
> >> fields, maybe the syntax would be:
> >>
> >> field.number="4:0" or maybe "4:-1".
> >>
> >> That doesn't work, of course.
> >>
> >> Am I simply not finding the documentation for the field.*-related
> >> syntax to make that work, or are the regex.* handlers the only way to
> >> do that?
> >>
> >> Processing with the field.* handlers would be faster.
> >>
> >> Thanks for any help.
> >>
> >> Brian
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.