rsyslog icon indicating copy to clipboard operation
rsyslog copied to clipboard

Published 20 hours ago verified publisher icon rsyslog

No option for json array in datatype property parameter

Open macEar opened this issue 3 years ago • 1 comments

Environment

  • rsyslog version: rsyslogd 8.2110.0.master
  • platform: Ubuntu 20.10

Expected behavior

Rsyslog composes the correct output with json arrays for jsonf format. It may be implemented by adding new datatype for json arrays.

Actual behavior

Currently datatype parameter of a property (https://www.rsyslog.com/doc/master/configuration/templates.html#property-statement) supports only the following options: string, number, bool and auto. I guess, it lacks an ability to specify a json array. For now, it braces json array into double quotes.

When I try to send a log from rsyslog to ClickHouse and one of the fields in json document is of Array type, Clickhouse raises an exception:

<Error> DynamicQueryHandler: Code: 130. DB::Exception: Array does not start with '[' character: (while reading the value of key UrlCategories): (at row 1)

Steps to reproduce the behavior

To reproduce this issue you can use a configuration like this:

### TEMPLATES ###
template(
    name="test"
    type="list"
    option.jsonf="on"
    option.casesensitive="on"
) {
    property(outname="TimeStamp" name="timegenerated" dateFormat="unixtimestamp" format="jsonf")
    # Should be json array
    property(outname="UrlCategories" name="$!mwgLog!urlc" format="jsonf")
}

### RULESETS ###

ruleset(
    name="r_test"
) {
    action(type="mmjsonparse" container="$!mwgLog" cookie="")
    if $parsesuccess == "OK" then {
        action(
            type="omfile"
            file="/logs/test.log"
            template="test"
        )
    }
}

### INPUTS ###

input(
    type="imptcp"
    port="20106"
    name="tcp20106"
    ruleset="r_test"
)

Then you can send to rsyslog a log entry with a json array field, like the following:

<30>Feb 16 15:32:46 test1 mwg: {"urlc":["Content Server","Internet Services"]}

In test.log we can find how this json array field looks in output:

\"UrlCategories\":\"[ \\\"Web Meetings\\\" ]\"

And I want it to look as follows:

\"UrlCategories\": [ \"Web Meetings\" ]

macEar avatar Feb 16 '22 14:02 macEar

currently the only way to create an array is with mmjsonparse or (I think) mmnormalize.

and the only way to use arrays is the foreach() function

I agree that it would be nice to get some tools tobe able to create and use arrays better.

David Lang

davidelang avatar Feb 16 '22 14:02 davidelang