liblognorm error: invalid field type 'string'

[leyafo]

Hi,All. I'm using lognormalizer parse my nginx's access log. It has returned me this error when I parsed quote string.

My nginx's log text is: 255.255.255.255 - [email protected] [05/Nov/2015:15:15:56 +0800] "POST /url/foo/bar HTTP/1.0" 200 2 "-" "Jakarta Commons-HttpClient/3.0.1"

My rule file is: version=2 %ip:ipv4% - %user-email:word% [%time:word% %timezone:word%] %url:string%

[davidelang]

string is not a valid data type in liblognorm, word is probably what you want (a string of characters with no spaces in them), or you may want rest (everything from there to the end of the line)

What are you expecting to be in 'url' when you are done?

[aiwilliams]

If string is not a valid field type, it may be necessary to clarify something here: http://www.liblognorm.com/files/manual/configuration.html#string

[rgerhards]

I think the problem was that the test was carried out with v1, while string is a v2 parser. It should now work, which we should verify to be sure. At the time of the original post, v2 was only available via experimental packages.

[sinsonglew]

@rgerhards , same problem with rsyslog8.26.1 with liblognorm5-2.0.3-1.el6.x86_64 installed. any suggestions, thanks !

logs: May 17 13:50:50 host_root rsyslogd: liblognorm error: rulebase file /etc/rsyslog.d/elastic_query.rb[19]: invalid field type '"string","name"' [v8.26.1 try http://www.rsyslog.com/e/2427 ]

[davidelang]

silly question, do you have version=2 as the first line in your .rb file?

[sinsonglew]

@davidelang, i do add version info at the top. it just doesn't work.