Loading...

XML

Word

Printable

Details

Type: Feature
Resolution: Done
Priority: Major
Fix Version/s: Logging 5.9
Affects Version/s: None
Component/s: Log Collection, PM Logging
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
PM Score:
0
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

1. Proposed title of this feature request
--> Provide custom configuration to vector to Filter and Reduce logs

2. What is the nature and description of the request?
--> Feature Request

3. Why does the customer need this? (List the business requirements here)
--> To filter the logs and reduce the amount of logs generated

4. List any affected packages or components. >> Vector , RHOL 5.6+

===============================================================
-Need to Enhance Openshift Version of Vector)
1. Filter (Filter events based on a set of conditions)
2. Reduce (Collapse multiple log events into a single event based on a set of conditions and merge strategies)

**Filter: Filters events based on a set of conditions.

Given this event : \\\{"log":{"level":"debug","message":"I'm a noisy debug log"}},\\\{"log":{"level":"info","message":"I'm a normal info log"}}

TOML file example

~~~
[transforms.my_transform_id]
type = "filter"
inputs = [ "my-source-or-transform-id" ]
condition = '.level != "debug"'
~~~

This Vector event is produced: \\\{"log":{"level":"info","message":"I'm a normal info log"}}

**Reduce: Collapse multiple log events into a single event based on a set of conditions and merge strategies.

Given this event. : \\\{"log":{"host":"host-1.hostname.com","message":"foobar.rb:6:in /': divided by 0 (ZeroDivisionError)\n from foobar.rb:6:in bar'\n from foobar.rb:2:in foo'\n from foobar.rb:9:in \u003cmain\u003e'","pid":1234,"tid":5678,"timestamp":"2020-10-07T12:33:21.223543Z"}},\\\{"log":{"host":"host-1.hostname.com","message":"Hello world, I am a new log","pid":1234,"tid":5678,"timestamp":"2020-10-07T12:33:22.123528Z"}}

TOML file example

~~~
[transforms.my_transform_id]
type = "reduce"
inputs = [ "my-source-or-transform-id" ]
group_by = [ "host", "pid", "tid" ]
starts_when = "match(string!(.message), r'^[^\\s]')"

[transforms.my_transform_id.merge_strategies]
message = "concat_newline"
~~~

========================================================
Below are some additional details:

As we know advanced filtering is not supported, and this issue has been already reported and one RFE [0] going on for the same.

[0] https://issues.redhat.com/browse/OBSDA-228

This RFE has been raised for to Enhance Openshift Version of Vector
1. Filter (Filter events based on a set of conditions)
2. Reduce (Collapse multiple log events into a single event based on a set of conditions and merge strategies)
3. Splunk HED logs : defining the source Type

[1] https://vector.dev/docs/reference/configuration/transforms/filter/
[2] https://vector.dev/docs/reference/configuration/transforms/reduce/
[3] https://vector.dev/docs/reference/configuration/sinks/splunk_hec_logs/#sourcetype

Attachments

Issue Links

is incorporated by

OBSDA-228 Log filtering and collecting

Release Pending

links to

KCS (Unpublished)

Activity

People

Assignee:: Jamie Parker

Reporter:: Prithviraj Patil

Votes:: 6 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 2023/10/26 9:00 PM

Updated:: 2024/03/25 2:07 PM

Resolved:: 2024/03/25 2:07 PM