v0.28.0
Upgrading to version 0.28.0
Several changes have been made that affect configuration for the filelog, syslog, tcplog, udplog, and journald receivers.
Update all usages of field syntax
Field syntax no longer requires the $ character. Instead each field must begin with body, attributes, or resource.
| Deprecated Example | Updated Equivalent |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tip for updating sub-parsers
To update the parse_from field in a "sub-parser", such as timestamp or severity, consider where the value would reside if the sub-parser was excluded.
| Deprecated Example | Updated Equivalent |
|---|---|
operators:
- type: regex_parser
regex: '^Time=(?P<time>\d{4}-\d{2}-\d{2})...'
parse_to: body # default
timestamp:
parse_from: time
... |
operators:
- type: regex_parser
regex: '^Time=(?P<time>\d{4}-\d{2}-\d{2})...'
parse_to: body # default
timestamp:
parse_from: body.time
... |
Replace usages of restructure operator
The restructure operator has been removed. Use add, copy, flatten, move, remove, and retain operators instead.
| Deprecated Example | Updated Equivalent |
|---|---|
operators:
- type: restructure
ops:
- add:
field: set_me
value: foo
- add:
field: overwrite_me
value: bar
- move:
from: details.env
to: env
- remove:
field: delete_me |
operators:
- type: add
field: body.set_me
value: foo
- type: add
field: body.overwrite_me
value: bar
- type: move
from: body.details.env
to: body.env
- type: remove
field: body.delete_me |
Replace usages of metadata operator
The metadata operator has been removed. Use add, copy, or move operators instead.
| Deprecated Example | Updated Equivalent |
|---|---|
operators:
- type: metadata
attributes:
environment: production
file: 'EXPR( $body.file )'
resource:
cluster: blue |
operators:
- type: add
field: attributes.environment
value: production
- type: copy
from: body.file
to: attributes.file
- type: add
field: resource.cluster
value: blue
- type: move
from: body.foo
to: attributes.bar |
Update filelog attribute references
The filelog receiver has adopted slightly different attribute names in order to match newly established semantic conventions. Configurations that previously refered to the file.* attributes should be updated.
| Deprecated Attribute | Updated Equivalent |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Note to Vendors: A log record's Timestamp field may now be nil
A recent change to the Log Data Model has redefined the usage of the Timestamp field. Correspondingly, this field is no longer initialized by default. All Log Exporters should be evaluated to ensure this change is handled accordingly.
Log exporters can use the following logic to mimic the previous funcationality (psuedocode):
timestamp := log.ObservedTimestamp
if log.Timestamp != nil {
timestamp = log.Timestamp
}[0.28.0] - 2022-03-28
Breaking Changes
$has been removed from field syntax. (PR364)- Use
bodyinstead of$body.- e.g.
body.foo.
- e.g.
- Use
attributesinstead of$attributes.- e.g.
attributes.["log.file.name"]
- e.g.
- Use
resourceinstead of$resource.- e.g.
resource.["host.name"]
- e.g.
- There is no longer a default top-level field.
- i.e.
foois no longer equivalent to$body.foo. (It is invalid.)
- i.e.
- A top-level field MUST be specified at the beginning of each field.
- e.g.
body.foo,attributes.foo, orresource.foo.
- e.g.
- Use
entry.Entry.Timestampfield is no longer required and is not initialized by default. (PR370)- The value can be set using the
timestampblock on any parser, or the using the standalonetime_parseroperator.
- The value can be set using the
- Removed
metadataoperator. (PR429)- Use
add,copy, ormoveoperators instead.
- Use
- Removed
restructureoperator. (PR371)- Use
add,copy,flatten,move,remove, andretainoperators instead.
- Use
- Changed the names of attributes added by
file_inputoperator to match new semantic conventions. (PR372) - Switch to original
go-sysloglibrary, restoring strict enforcement of SD-NAME length. (PR439)