how do you guys like to emit logs in your applications? right now, i'm emitting a string of k=v
with a type=something field
torrancew
Agro: there are severla conventions. In general, where possible, most of us strive to provide some type of structured data to LS (json is popular)
what you're doing seems mostly fine, as long as you don't have weird escaping conditions (= inside of a value, etc)
Rumbles has quit
Agro
i see
torrancew
json is popular b/c it's well supported in most programming languages, and several logging tools, etc
Agro
yeah, might consider json
spuder joined the channel
mitcdh joined the channel
rastro
elisiano: not related, but you can put all the inputs in one input{} stanza.
elisiano: i wonder if your work for [year] is what's causing the issue. i would use grok instead of the machinations you're going through.
elisiano: in general, i don't like to see checking to see if you need to run a grok (lines 54, 60). Note you can combine the two grok patterns into one.
elisiano: regexps in conditionals don't have to be exhaustive, so /.*foo.*/ is a less-readable version of /foo/ (lines 81, 87, 93, 99)
torrancew
that's my best guess too, rastro
(the year stuff)
phutchins2 joined the channel
Agro
yeah, i'm actually gonna hop over to json, get those types
torrancew
:)
yeah
I always forget about that particular advantage, sorry1
Agro
you familiar with log4j, or really any java logging framework?
rastro
elisiano: i'd also be inclined to try and combine the sshd lines into one grok{} stanza with maybe 2 grok patterns.
elisiano: ^^ oops, means sudoers on that one ^^
al-damiri has quit
elisiano: you can run multiple gsubs in one mutate (line 119, 122)
torrancew
Agro: only a wee bit
hartfordfive joined the channel
rastro
elisiano: after the grok at 125, you won't have a message field but will have a message_remainder. Unless one of those patterns is matching into [message], set your greedydata there and use overwrite.