13.2.1. Using parser results in filters and templates
The results of message classification and parsing can be used in custom filters and templates, for example, in file and database templates. The following built-in macros allow you to use the results of the classification:
.classifier.classmacro contains the class assigned to the message (for example violation, security, or unknown).
.classifier.rule_idmacro contains the identifier of the message pattern that matched the message.
.classifier.context_idmacro contains the identifier of the context for messages that were correlated. For details on correlating messages, see Section 13.3, Correlating log messages using pattern databases.
Pattern database rules can assign tags to messages. These tags can be used to select tagged messages using the
tags() filter function.
The message-segments parsed by the pattern parsers can also be used as macros as well. To accomplish this, you have to add a name to the parser, and then you can use this name as a macro that refers to the parsed value of the message.
|Example 13.4. Using pattern parsers as macros|
For example, you want to parse messages of an application that look like
Here the @ESTRING@ parser parses the message until the next full stop character. To use the results in a filter or a filename template, include a name in the parser of the pattern, for example:
After that, add a custom template to the log path that uses this template. For example, to select every
The above macros can be used in database columns and filename templates as well, if you create custom templates for the destination or logspace.
Use a consistent naming scheme for your macros, for example,