返回
-
标题
How to search using "nvpair" for .sdata.kv. -
说明
How to search using nvpair in Syslog-ng Store Box (SSB) for .sdata.kv.<name>. -
解决办法
To be able to search using nvpair, the nvpair rules must be setup in SSB:
1. Log > Logspaces
2. Select the specific logspace
3. Under Indexed Fields > Only with the name > define the ".sdata.kv.<name>,.sdata.kv.<name>"
4. Message field must be ticked.
Create / choose a parser for the message parsing:
1. Log > Parsers
2. Either choose the default "kv" parser, or create a new custom parser (create a custom parser regarding to the messages how they have been written e.g: .sdata.fg). Also fill out the Pair separator string, and the Value separator character regarding to how the messages been built.
Check the path if it was set up correctly:
1. Log > Paths
2. Select the source where the messages are going to come from
3. Choose the parser from the drop down menu, which one will be used for the messages
Nvpair search can be used only on the newly incoming (after the above setup is done) messages!