From 2a67f265e82d605b330524c13e025c5e19e44842 Mon Sep 17 00:00:00 2001 From: ruflin Date: Mon, 28 May 2018 13:17:44 +0200 Subject: [PATCH] Add log.message The field `log.message` contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. --- CHANGELOG.md | 1 + README.md | 1 + schema.csv | 1 + schemas/log.yml | 17 +++++++++++++++++ template.json | 6 ++++++ 5 files changed, 26 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2011feef2a..d0ce89a8df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,5 +13,6 @@ All notable changes to this project will be documented in this file based on the * Adds cloud.account.id for top level organizational level. #11 * Add `http.response.status_code` and `http.response.body` fields. #4 * Add fields for Operating System data. #5 +* Add `log.message`. #3 ### Deprecated diff --git a/README.md b/README.md index c1607f1547..dc36ace5dd 100644 --- a/README.md +++ b/README.md @@ -276,6 +276,7 @@ Fields which are specific to log events. | `log.level` | Log level of the log event.
Some examples are `WARN`, `ERR`, `INFO`. | keyword | | `ERR` | | `log.line` | Line number the log event was collected from. | long | | `18` | | `log.offset` | Offset of the beginning of the log event. | long | | `12` | +| `log.message` | This is the log message and contains the full log message before splitting it up in multiple parts.
In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.
This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | `Sep 19 08:26:10 localhost My log` | ## Network fields diff --git a/schema.csv b/schema.csv index 9b3d14f899..9f91f5ce24 100644 --- a/schema.csv +++ b/schema.csv @@ -88,6 +88,7 @@ kubernetes.namespace,keyword,0, kubernetes.pod.name,keyword,0, log.level,keyword,0,ERR log.line,long,0,18 +log.message,keyword,1,Sep 19 08:26:10 localhost My log log.offset,long,0,12 network.direction,keyword,0,inbound network.forwarded_ip,ip,0,192.1.1.2 diff --git a/schemas/log.yml b/schemas/log.yml index 2c6047c586..76d103145a 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -21,3 +21,20 @@ description: > Offset of the beginning of the log event. example: 12 + - name: message + type: keyword + phase: 1 + example: "Sep 19 08:26:10 localhost My log" + index: false + doc_values: false + description: > + This is the log message and contains the full log message before + splitting it up in multiple parts. + + In contrast to the `message` field which can contain an extracted part + of the log message, this field contains the original, full log message. + It can have already some modifications applied like encoding or new + lines removed to clean up the log message. + + This field is not indexed and doc_values are disabled so it can't be + queried but the value can be retrieved from `_source`. diff --git a/template.json b/template.json index 5e80936d7c..054277e046 100644 --- a/template.json +++ b/template.json @@ -459,6 +459,12 @@ "line": { "type": "long" }, + "message": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, "offset": { "type": "long" }