Using rsyslog and specifically liblognorm is it possible to have DRY rules by referencing other rules?
Example: having the following 2 rules which are exactly matching except for the first 3 fields
rule=innerQuery:%timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%
rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%
Is it possible to have the wrapperQuery defined by referencing the innerQuery rule
rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %core:REFERENCE_innerQuery%
I was able to handle that by:
which implies that the variable access would be nested too.
Following is how that could be achieved
type=@coreQ:%timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%
rule=innerQuery:%core:@coreQ:%
rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %core:@coreQ%
And that's how the variable could be accessed
template(name="myLogFormat" type="string" string="Full structure displayed as json is %$!core%, single element is %$!core!domain%\n")
Note: the syntax is %$!core!domain% and not %$!core.domain%