parse_log

Parses common log formats into structured data. This is easier and often much faster than grok.

parse_log:
format: syslog_rfc5424
codec: json

Fields

format

string A common log format to parse.

Options are: syslog_rfc5424.

codec

string Specifies the structured format to parse a log into.

Options are: json.

parts

array An optional array of message indexes of a batch that the processor should apply to. If left empty all messages are processed. This field is only applicable when batching messages at the input level.

Indexes can be negative, and if so the part will be selected from the end counting backwards starting from -1.

Codecs

Currently the only supported structured data codec is json.

Formats

syslog_rfc5424

Makes a best effort to parses a log following the Syslog rfc5424 spec. The resulting structured document may contain any of the following fields:

  • message (string)
  • timestamp (string, RFC3339)
  • hostname (string)
  • procid (string)
  • appname (string)
  • msgid (string)
  • structureddata (object)