JSON format support

[chmely]

Added support to export the message as JSON.
Now, there is the option to export the messages as plain text (the current implementation), like this:

or newly in JSON that appears in Splunk in this way:

[nblumhardt]

Thanks for the proposal!

In Splunk, note that the first example already includes all of the event's structured properties in fields. The "message" field in this context is the human-readable description of the event that occurred, while structured data is included alongside it. I don't think we should flip this around and put JSON in the message field itself.

Allowing message formatting to be customized via an ITextFormatter option passed to the sink would be a reasonable alternative if you're still keen to do what you have in mind, although it's not a common pattern among Serilog sinks right now either.

[chmely]

Well, the advantage of having the text formatted as JSON is that you can do more effective search on the message. In the text format the message template is rendered with the actual values in it, while in the JSON version the template is rendered as template and the properties in a separate JSON field.
With that you can easily search in splunk like this:

index="<index>" "Properties.Service"="<service>" "Route matched with {RouteData}"

this will give you all the logs with the template regardless of the actual attribute value(s) which can be useful. You can't achieve that with the standard plaintext format, because that includes the attribute values in the text. Another thing is that the JSON formats any complex values that you may use in your message template values in much nicer way.

We have been using this format in our company and found it quite useful, both for searching and visually it's easier to find the information you need.

[nblumhardt]

Thanks for your reply, sorry about the slow turnaround!

Currently, using Enrich.WithMessageTemplate() will attach the original message template to your events, which should give you equivalent functionality though still retaining the formatted message in the message field.

Let me know if this helps,
Nick

[nblumhardt]

The latest version on dev will include message_template.text by default, which should provide what you're after while keeping the formatted message and attributes in their usual locations.

There should be a package on its way through CI now, it'd be great to hear whether this improves the experience for you. Cheers!

[nblumhardt]

Hi @chmely, I hope all's going well!

I don't think the approach in the PR is the one we'll take right now; enabling this scenario would look more like OpenTelemetrySinkOptions.BodyFormatter, if it's something that's of general interest.

Perhaps the way forward from here is to close this ticket and open up a tracking issue instead?

[nblumhardt]

Closing as stale but please chime in if you're still interested in workout out a plan for this one. Thanks again for the PR!