apm-server icon indicating copy to clipboard operation
apm-server copied to clipboard
verified publisher icon elastic

Add fields from ECS logging spec to log support in v2 intake API

Open lahsivjar opened this issue 3 years ago • 1 comments

Extend the log support in v2 intake API to handle fields in ECS logging spec.

lahsivjar avatar Sep 13 '22 02:09 lahsivjar

One complication is that the properties might be specified as dotted keys, such as "log.level".

Example ecs log line:

{"@timestamp":"2019-08-06T12:09:12.375Z", "log.level": "INFO", "message":"Tomcat started on port(s): 8080 (http) with context path ''", "service.name":"spring-petclinic","process.thread.name":"restartedMain","log.logger":"org.springframework.boot.web.embedded.tomcat.TomcatWebServer"}

If we specify in the json schema that log is an object, we might ignore the "log.level" field.

So we'll need to expand dots before passing onto the JSON decoding and validation.

felixbarny avatar Sep 13 '22 10:09 felixbarny

@lahsivjar please let the apm-agents developers know once this is merged.

simitt avatar Oct 06 '22 07:10 simitt

Tested with BC2. Works well overall, but I found a few issues:

  • Intake accepts dataset, should be event.dataset according to the ECS logging spec: https://github.com/elastic/ecs-logging/blob/main/spec/spec.json#L97
  • The error.grouping_key is being added (by the error grouping key model processor) to application logs with error.* fields. I think this should only be done for error events.
  • The app_logs data stream is missing field definitions for: error.stack_trace, event.dataset, log.logger, log.origin.file.line, log.origin.file.name, log.origin.function, and process.thread.name

axw avatar Nov 24 '22 06:11 axw

Opened https://github.com/elastic/apm-server/issues/9666

axw avatar Nov 24 '22 06:11 axw