As extra information the current setup in the 6.4.4, until written otherwise the mentioned steps are working:
​

​​
^^ i fixed the } bracket of the dirname macro
(above is part of the LLD get files)

​
Both working and in the collect data the data I want to collect is shown in latest data.

Only the part I want to do know is from that collected data create Items (the data is converted to json like mentioned in the start post)
I can do (@ item prototype) select dependent item > select prototype == Collect data {#FILENAME} but then I'm missing macro's to create items based on the syslog file.

Good to know is that this syslog file contains details of multiple hosts which communicates to this central module by an encrypted protocol, and with this syslog output I'm able to receive it decrypted.

Hey there.

So in my brain your post ends up all over the place and I sadly fail to grasp the end goal.

Still, I can outline points that dont fit in overal puzzle for me, you can clarify them, and then maybe me or some one else will be able to advise.

First of all, aim of Zabbix discovery is to find semi-static entries that share same characteristic and automatically set them up for monitoring based on common monitoring setups. If you pipe out content of log file as json into discovery, Zabbix will attempt to setup a monitoring of each log entry. Which I'm pretty sure not something you want to do neither is your aim

If you want to monitor a log file content, you dont need to setup a discovery. Instead you need to identify clear list of either log entries you are hunting after or at least their common characteristics. Like 'error' log level. Or 'high' priority. Etc. Than you can use trigger with find function to see if the latest log entry contains the values that warrants trigger firing.


Also, depending on amount of logs shipped, it might be not good idea to pull all of them into Zabbix DB. You might want to right away filter out unneeded entries on stage of log file processing (log item supports filtering, so that agents only sends matching entries into Zabbix for storing in DB and processing for possible triggers, can check here).

Ok I try to summarize it better:
First we have a syslog output of a device which report all kinds of information of other device. This could be 10 devices, could be 100.
Only a few of those devices have static IP's, others have a fixed hostname (which can't be edited) I have identified the important field and {#ORIGIN} is always the device which reported the fault to the syslog device and based on the name/IP there I would like to create an Item.
When an error occurs the LOGID of the fault is unique and the clear event (Clear / error / critical are based on {#LEVEL} ) has the same LOGID.

So the combination of ORIGIN-LOGID ($.6-$.1)should be a unique key and LEVEL is the indicator if it's an active alert or clear.
After preprocessing and as last step CVS to json the output of messages.log is: (I could replace the original : to different character before doing csv to json but that is not the example output, pre-processing already drops about 2/3 of all messages)
The reason for doing it dynamic (or at least try ) is that system can grow/ units can be replace etc. And I'm willing to setup it up completely different but I'm lacking knowledge on how to do it.

The state I'm now at is:
In a template I have an item which collect / processes the syslog data . Output is like following: ​^^ about is twice the same alarm and clear, the logID is an unique identifier, APPADDR is the item I would like to create with the discovery rule.
The discovery rule > dependent ITEM on the one which output the above text, key syslog and the same MACROs as in the first post. However the Jsonpath a bit different.
​
Item Prototype:

​
However I still don't get any Item. When i test the preprocessing steps with the JSON output above I do get the IP adress without /SystemSurvey​