How to refer to fields with dash in name in Exec

#1 mulgurul 5 years ago

I'm working on a setup for collecting IIS logs and send them to Graylog. Here I stumbled into a problem with refering to fields with a dash in the field name.

I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes.

In the CSV module I have:

<Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension>

And in my input def i have:

<Input iis_dodpdownload> Module im_file ....

Exec		if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \
            {                                                           \
                drop();                                                 \
            }                                                           \
            else                                             \
            {                                                \
                w3c-&gt;parse_csv();                            \
                $EventTime = parsedate($date + &quot;T&quot; + $time + &quot;+00:00&quot;); \
                $SourceName = &quot;IIS&quot;;    					 \
                $Message = $cs-method + &quot; &quot; + $cs-uri-stem + &quot; &quot; + $sc-status;     				 \
            }

</Input>

The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error. If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error.

How can i refer to those fields/vars or escape them?

Hope someone knows:-)

Best regards, Peter Meldgaard

Permalink

#2 Zhengshi Nxlog ✓ 5 years ago

#1 mulgurul

Hi I'm working on a setup for collecting IIS logs and send them to Graylog. Here I stumbled into a problem with refering to fields with a dash in the field name. I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes. In the CSV module I have: <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> And in my input def i have: <Input iis_dodpdownload> Module im_file .... Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \ { \ drop(); \ } \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + "T" + $time + "+00:00"); \ $SourceName = "IIS"; \ $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; \ } </Input> The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error. If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error. How can i refer to those fields/vars or escape them? Hope someone knows:-) Best regards, Peter Meldgaard

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#lang_fields
You can reference the fields as ${field-name}.

$Message = ${cs-method} + " " + ${cs-uri-stem} + " " + ${sc-status};
This should work.