EOE events in auparse output

[Nikolai Kondrashov]

On 12/05/2016 05:54 PM, Steve Grubb wrote:
> On Monday, December 5, 2016 5:34:12 PM EST Nikolai Kondrashov wrote:
>> However, since libauparse is supposed to provide the service of
>> communicating event boundaries to its users, does it make sense for it to
>> return the EOE record? Especially as a separate, empty event, which doesn't
>> add any information?
>
> I suppose it could be stripped from the event as its real purpose is locating
> the event boundary. Since I don't know if the event will be relayed on to
> another analytic processor I've just kept it there. For example, you could
> have a realtime plugin that passes its information to another process for
> correlation and escalation. In that case keeping the record makes sense.

Hmm, perhaps, but I think it's not a useful feature, and a rather confusing
one. I think there aren't many actual use cases between simply passing the raw
log, and passing what was parsed with auparse, in whatever shape, and had
event boundaries explicitly defined already. However, I'd leave this up to
you.

> But for xml/json it can be dropped because it has its own way of defining an
> event boundary.

Yes, I can implement dropping it.

Thanks!

Nick