Skip to content

[enterprise-4.13] OBSDOCS-83: Removed JSON message field #70115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 11, 2024
Merged

[enterprise-4.13] OBSDOCS-83: Removed JSON message field #70115

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 5 additions & 14 deletions modules/cluster-logging-json-log-forwarding.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,17 @@
[id="cluster-logging-json-log-forwarding_{context}"]
= Parsing JSON logs

Logs including JSON logs are usually represented as a string inside the `message` field. That makes it hard for users to query specific fields inside a JSON document. OpenShift Logging's Log Forwarding API enables you to parse JSON logs into a structured object and forward them to either OpenShift Logging-managed Elasticsearch or any other third-party system supported by the Log Forwarding API.
You can use a `ClusterLogForwarder` object to parse JSON logs into a structured object and forward them to a supported output.

To illustrate how this works, suppose that you have the following structured JSON log entry.
To illustrate how this works, suppose that you have the following structured JSON log entry:

.Example structured JSON log entry
[source,yaml]
----
{"level":"info","name":"fred","home":"bedrock"}
----

Normally, the `ClusterLogForwarder` custom resource (CR) forwards that log entry in the `message` field. The `message` field contains the JSON-quoted string equivalent of the JSON log entry, as shown in the following example.

.Example `message` field
[source,yaml]
----
{"message":"{\"level\":\"info\",\"name\":\"fred\",\"home\":\"bedrock\"",
"more fields..."}
----

To enable parsing JSON log, you add `parse: json` to a pipeline in the `ClusterLogForwarder` CR, as shown in the following example.
To enable parsing JSON log, you add `parse: json` to a pipeline in the `ClusterLogForwarder` CR, as shown in the following example:

.Example snippet showing `parse: json`
[source,yaml]
Expand All @@ -31,7 +22,7 @@ pipelines:
parse: json
----

When you enable parsing JSON logs by using `parse: json`, the CR copies the JSON-structured log entry in a `structured` field, as shown in the following example. This does not modify the original `message` field.
When you enable parsing JSON logs by using `parse: json`, the CR copies the JSON-structured log entry in a `structured` field, as shown in the following example:

.Example `structured` output containing the structured JSON log entry
[source,yaml]
Expand All @@ -42,5 +33,5 @@ When you enable parsing JSON logs by using `parse: json`, the CR copies the JSON

[IMPORTANT]
====
If the log entry does not contain valid structured JSON, the `structured` field will be absent.
If the log entry does not contain valid structured JSON, the `structured` field is absent.
====