A log module I've been noodling with would need to match every line of every log. Take the line, extract the hostname and collect a list of all the hosts that have logged something. The goal is to compare that to a known hosts list and report any host which has reported no logs in the last time segment.
the problem, of course, is if you match a line it gets removed and can't be used by other modules or unparsed lines. So that's obviously not gonna work.
Looking at the code it seems like modules should be able to hand back None as a result which supposedly is to say "this looked like a match but it wasn't, we don't need this, give it to unparsed".
However, testing that code seems to bear out that it, in fact, doesn't get handed over to unparsed.
So my options are:
1. fix that so None == no match and hand them back
2. make the 'report a list of hosts which logged nothing in the last time segment' a core feature that isn't in a module at all.
Not sure how I feel about 2 b/c it feels like something you could safely do in a module.
So - thoughts? -sv