i'm using syslog-ng for collecting json messages and send alarms to slack
there is parameter in json message which contains IP address of router from which I'm receiving the json message and I want to convert IP address to router hostname
i'm using two parsers 1) parse json 2) replace IP address with router hostname:
parser p_json {
json-parser(prefix(".json."));
};
parser p_acd_router {
add-contextual-data(selector("${.json.router_ip}"), database("host_map.csv"), prefix(".meta_router."));
};
until now everything works fine. Hi, I'm having the problem when I receive log message from router and I don't have IP_to_Hostname mapping for it in csv file. in this case i just get blank space in syslog message. there is option to return default value if mapping does not exist, but i would prefer to return original value (IP address)
if mapping exists convert IP address to hostname >> works if mapping does not exist, return original IP address >> don't know how to set it up
is this even supported?
thanks
You can set the default-selector("UNKNOWN") option for add-contextual-data(), and add a record to your CSV file with the ID UNKNOWN, and use the following value when setting .meta_router.hostname: ${.json.router_ip}.
TLDR: templates are supported inside the CSV file as well.
Note: In case your IPs are reverse-resolvable, you can just use the $(dns-resolve-ip) template function instead of maintaining a complete CSV database: