Get the host name of a source during sessionize
I have a log that looks like this
2014-04-29T22:17:45.933,,,,,VideoRecorder,WR139881602394 [RECV] 140352128276224VideoRecorderFactory RPCServiceRequest AllocateRecording recording{video_conf_details { video_conf_id: "0F9534BBB354@0fb21385-b403-4b5f-8989-61d073e3e704" video_part_id: "f73d71d4-1503-4da6-8396-8291b1f2b883" plain_addr{hostname: "sjoprodvhub04.fuzemeeting.com" port: 80 } ssl_addr { hostname:"sjoprodvhub04.fuzemeeting.com" port: 443 } } recording_settings {recording_id:"6195871" pillarbox_id: "28543579" } }
That recording ID is something I need to use as a session id in a sessionize operator. Assume I have sessionized a different log line and have the recording id stored as recId
So I have two questions
(a) how do I escape the double quotes inside the quoted sessionize operator string? I clearly can't write "recording_id:"$recId"" . I tried to use backspace but it doesnt seem to work "recording_id:\"$recId\"". Any ideas?
(b) now that we are collecting the log line across different sourceHosts, I want to get the name of the Host which emitted this log. I understand that there is the _sourceHost metadata but I want the host that emitted this specific log. How do I do that?
-
a.) What you are using is correct, to escape double quotes you use a backslash. We would need to see an example of both types of log messages along with the query you are attempting to use in order to validate the context of the query and how you are using sessionize.
b.) There is a "hostname" within the log messages themselves, is this the "host" you are wanting to get? If so you should be able to pull this as part of the sessionize operation or as part of a standard "parse nodrop" operation.
Please sign in to leave a comment.
Comments
1 comment