When calling macros created from the SSB (Syslog-ng Store Box) parser the following format is to be used:
${.SDATA.namespace.KEY}
The SDATA is capitalized and requires the period both before and after SDATA.
The namespace needs to match the name of the namespace verbatim, if using a capitalized letter please ensure this matches in the macro.
Lastly, the KEY is all capitalized, this will be the name of the value of the macro that the parser parsed from the data.
The following is an example using firewall as the namespace and SIP (Source IP) as the Key:
${.SDATA.firewall.SIP}
The macro above would call the SIP parsed data from the parser firewall. When this macro is called the value of SIP, which is the key of the key=value pair, would be returned. In this instance, as this is the Source IP that is being parsed out in the example, the key would be SIP and the value would be the IP Address, and thus the IP Address would be returned i.e.:
${.SDATA.firewall.SIP} = 192.168.1.105
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center