FilterX is an experimental feature currently under development. Feedback is most welcome on Discord and GitHub.
Available in AxoSyslog 4.8.1 and later.
The parse_kv
FilterX function can split a string consisting of whitespace or comma-separated key=value
pairs (for example, Postfix log messages). You can also specify other value separator characters instead of the equal sign, for example, colon (:
) to parse MySQL log messages. The AxoSyslog application automatically trims any leading or trailing whitespace characters from the keys and values, and also parses values that contain unquoted whitespace.
key1=value1, key2=value2, key1=value3, key3=value4, key1=value5
), then AxoSyslog only stores the last (rightmost) value for the key. Using the previous example, AxoSyslog will store the following pairs: key1=value5, key2=value2, key3=value4
.
By default, the parser discards sections of the input string that are not key=value
pairs, even if they appear between key=value
pairs that can be parsed. To store such sections, see stray_words_key.
The names of the keys can contain only the following characters: numbers (0-9), letters (a-z,A-Z), underscore (_), dot (.), hyphen (-). Other special characters are not permitted.
Declaration
Usage: parse_kv(<input-string>, value_separator="=", pair_separator=",", stray_words_key="stray_words")
The value_separator
must be a single-character string. The pair_separator
can be a regular string.
Example
In the following example, the source is a Postfix log message consisting of comma-separated key=value
pairs:
Jun 20 12:05:12 mail.example.com <info> postfix/qmgr[35789]: EC2AC1947DA: from=<[email protected]>, size=807, nrcpt=1 (queue active)
filterx {
${PARSED_MESSAGE} = parse_kv(${MESSAGE});
};
You can set the value separator character (the character between the key and the value) to parse for example, key:value
pairs, like MySQL logs:
Mar 7 12:39:25 myhost MysqlClient[20824]: SYSTEM_USER:'oscar', MYSQL_USER:'my_oscar', CONNECTION_ID:23, DB_SERVER:'127.0.0.1', DB:'--', QUERY:'USE test;'
filterx {
${PARSED_MESSAGE} = parse_kv(${MESSAGE}, value_separator=":", pair_separator=",");
};