-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JSON format support #43
Conversation
Thanks for the proposal! In Splunk, note that the first example already includes all of the event's structured properties in fields. The "message" field in this context is the human-readable description of the event that occurred, while structured data is included alongside it. I don't think we should flip this around and put JSON in the message field itself. Allowing message formatting to be customized via an |
Well, the advantage of having the text formatted as JSON is that you can do more effective search on the message. In the text format the message template is rendered with the actual values in it, while in the JSON version the template is rendered as template and the properties in a separate JSON field.
this will give you all the logs with the template regardless of the actual attribute value(s) which can be useful. You can't achieve that with the standard plaintext format, because that includes the attribute values in the text. Another thing is that the JSON formats any complex values that you may use in your message template values in much nicer way. We have been using this format in our company and found it quite useful, both for searching and visually it's easier to find the information you need. |
Thanks for your reply, sorry about the slow turnaround! Currently, using Let me know if this helps, |
The latest version on There should be a package on its way through CI now, it'd be great to hear whether this improves the experience for you. Cheers! |
Hi @chmely, I hope all's going well! I don't think the approach in the PR is the one we'll take right now; enabling this scenario would look more like Perhaps the way forward from here is to close this ticket and open up a tracking issue instead? |
Closing as stale but please chime in if you're still interested in workout out a plan for this one. Thanks again for the PR! |
Added support to export the message as JSON.
![image](https://user-images.githubusercontent.com/6213446/228523218-dd51503b-1154-4566-b646-96d9d9ff1816.png)
Now, there is the option to export the messages as plain text (the current implementation), like this:
or newly in JSON that appears in Splunk in this way:
![image](https://user-images.githubusercontent.com/6213446/228523319-fabe310b-7d7e-40b5-9a46-ebb3bcd76734.png)