I have a misbehaving source which is sending a non-compliant CEF events.
The events have an extra field where it shouldn't and therefore the
events get misinterpreted further down the pipeline.
So the question is - what is the most "rsyslog-way" to delete a single
pipe-delimited field from the middle of the event.
The event typically looks this way:
<PRI>Date time host
CEF:0|Company|Product|Version|Module|extra_field|alert|priority|extended_part
I want to cut the extra_field away.
Since the fields are pipe-delimited, it's tempting to use field() but
there are two problems with this approach:
1. As far as I remember, you can't return a set of fields with field().
Just a single field. So I'd have to iterate over some counter and
assemble the resulting event from single fields. Not very nice.
2. If the extended_part contained by any chance a pipe character, it
would cut tha part short. So I can't even make a static list of field to
iterate over but I'd have to find how many fields are there. Even uglier.
The other approach I could consider is obviously re_match(). It seems
simpler in terms of the idea but regex (and I think I'd need to call it
twice to match both sides of the field I want to cut) seems a bit heavy
performancewise for such a small task.
Any better ideas?
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
The events have an extra field where it shouldn't and therefore the
events get misinterpreted further down the pipeline.
So the question is - what is the most "rsyslog-way" to delete a single
pipe-delimited field from the middle of the event.
The event typically looks this way:
<PRI>Date time host
CEF:0|Company|Product|Version|Module|extra_field|alert|priority|extended_part
I want to cut the extra_field away.
Since the fields are pipe-delimited, it's tempting to use field() but
there are two problems with this approach:
1. As far as I remember, you can't return a set of fields with field().
Just a single field. So I'd have to iterate over some counter and
assemble the resulting event from single fields. Not very nice.
2. If the extended_part contained by any chance a pipe character, it
would cut tha part short. So I can't even make a static list of field to
iterate over but I'd have to find how many fields are there. Even uglier.
The other approach I could consider is obviously re_match(). It seems
simpler in terms of the idea but regex (and I think I'd need to call it
twice to match both sides of the field I want to cut) seems a bit heavy
performancewise for such a small task.
Any better ideas?
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.