-
I've had a look through the discussions here and the docs, and I'm not sure what the best approach here is. Basically, I'm running a bunch of services (that I don't own - self-hosting binge), and the logs are frequently intermingled, and could be any of, say,
As far as I can tell, I need to do something like this: [sources.source_firefly_iii_core]
type = "docker_logs"
include_containers = ["firefly_iii_core"]
[transforms.transform_firefly_iii_core]
type = "route"
inputs = [ "source_firefly_iii_core" ]
[transforms.transform_firefly_iii_core.route]
apache = '''
_, err = parse_apache_log(.message, "combined")
err == null
'''
apache_error = '''
_, err = parse_apache_log(.message, "error")
err == null
'''
application = '''
_, err = parse_groks(
.message,
patterns: [
"\\[%{TIMESTAMP_ISO8601:timestamp}\\] %{FIREFLY_LOG_LEVEL}: %{GREEDYDATA:message}"
],
aliases: {
"FIREFLY_LOG_LEVEL": "(?:%{DATA:host}\\.%{LOGLEVEL:level})"
}
)
err == null
'''
[transforms.transform_firefly_iii_core_apache_combined_remap]
type = "remap"
inputs = [ "transform_firefly_iii_core.apache" ]
source = '''
. |= parse_apache_log!(.message, "combined")
'''
[transforms.transform_firefly_iii_core_apache_err_remap]
type = "remap"
inputs = [ "transform_firefly_iii_core.apache_error" ]
source = '''
. |= parse_apache_log!(.message, "error")
'''
[transforms.transform_firefly_iii_core_application_remap]
type = "remap"
inputs = [ "transform_firefly_iii_core.application" ]
source = '''
. |= parse_groks!(
.message,
patterns: [
"\\[%{TIMESTAMP_ISO8601:timestamp}\\] %{FIREFLY_LOG_LEVEL}: %{GREEDYDATA:message}"
],
aliases: {
"FIREFLY_LOG_LEVEL": "(?:%{DATA:host}\\.%{LOGLEVEL:level})"
}
)
'''
[sinks.console_test_out]
type = "console"
inputs = [ "transform_firefly_iii_core_*_remap" ]
encoding.codec = "json" This isn't really ideal, since I have to parse the log twice in the best-case scenario, or four times in the worst-case, plus the necessary parsing code has to be duplicated. Is there a better way of handling this, given that I can't reasonably go and make a PR for every single service I've got deployed to get them to use JSON? I suppose I could also write some horribly nested VRL, along the lines of
But don't think that's any better, particularly since I'm not sure I can route it to a separate destination like that (e.g., I want Apache logs to go somewhere else, separate from application logs). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 7 replies
-
For mixed formats, I'd probably suggest just relying on |
Beta Was this translation helpful? Give feedback.
Thinking about it more, I…