Clarification of the mmnormalize path action parameter?

[jbyers-suse]

I read the explanation provided in the rsyslog mmnormalize documentation [1]

**path [word], defaults to "$!" Specifies the JSON path under which parsed elements should be placed. By default, all parsed properties are merged into root of message properties. You can place them under a subtree, instead. You can place them in local variables, also, by setting path="$.". **

I'm looking for some examples of setting the local path variables for the parsed elements from a custom application event log?. Should I list the parsed property names from the rulebase prepended with $! as an example then reference the same property names in a new rsyslog template for processing into another source such as elasticsearch?

Here is the relevant section of the rsyslog configuration

module(load="imfile") input(type="imfile" File="(path to custom application log file)" Tag="app:"

module(load="mmnormalize") action(type="mmnormalize" rulebase="/opt/customapp.rb"

I'll provide the contents of the rulebase that I configured if needed.

Thank you. I appreciate any advice/suggestions/feedback. [1] https://www.rsyslog.com/doc/mmnormalize.html****

[davidelang]

Say you have the log entry

David opened the blue door at timestamp

you parse this with rule-:%name:word% opened the %door:word% at %time:timestamp%

by default with the path set to $!, this will result in the variables

$!name="David" $!door="blue" $!timestamp=timestamp

if you set path = $.foo, then the resulting variables would be

$.foo!name="David" $.foo!door="blue" $.foo!timestamp=timestamp

this prevents these from overwriting any variables that may have existed under thease names.

does this clarify it for you?

[jbyers-suse]

Yes. Thank you. I should be able to use these variables in a new rsyslog template for use with elasticsearch as an example.