01 Aug 2024
03:30 PM
- last edited on
01 Oct 2024
09:30 AM
by
MaciejNeumann
Use Case: Customer has an application log which contains a single character, "E" for example, which denotes what the LogLevel for said Log entry is.
[2024-05-21T12:06:40.084-0400] 012345 id= com.github.example E HOST: An unexpected error occured whilst opening the log. Log example Log example Log example Log example Log example Log example Log example
Dynatrace will not automatically extract the single character and set the LogLevel as it is in a non-standard format, but we can perform this work using a Log Processing Rule - https://docs.dynatrace.com/docs/shortlink/lma-log-processing
Log Processor Setup: Open up the Dynatrace Tenant > Settings > Log Monitoring > Log Processing.
Click Add rule - Give the rule a friendly but descriptive name.
In the Matcher field, enter the DQL filters which will focus the log processing rule down to the specific application we are focused on. For example:
matchesValue(k8s.namespace.name, "App-namespace") AND matchesValue(k8s.deployment.name, "MyApplication")
For the processor definition, enter the following:
USING(INOUT loglevel, IN content)
|PARSE(content,"LD SPACE LD SPACE LD BLANK LD BLANK ['A-Z']{1}:logstatus SPACE")
| FIELDS_ADD(loglevel:
IF(logstatus == "W", "WARN",
IF(logstatus == "E", "ERROR",
IF(logstatus == "I", "INFO",
IF(logstatus == "C", "CRITICAL",
IF(logstatus == "D", "DEBUG",
IF(logstatus == "S", "SEVERE",
IF(logstatus == "T", "TRACE",
IF(logstatus == "N", "NOTICE",
IF(logstatus == "A", "ALERT",
IF(logstatus == "F", "FATAL",
"NONE"
)
)
)
)
)
)
)
)
)
)
)
This Log Processing Rule will extract the single character, "E" in the above example, and save that to a logstatus field. Then based off the logstatus field, we update the loglevel to the corresponding value.
Before transformation vs After Transformation
Save the Rule and Turn it on to start updating the loglevel for any newly ingested logs matching the defined matcher!