Searchable application logs in Grafana

Fresh Produce
21

From my understanding, attributes is a map from the application.

  1. If params goes into the body in the following query, would that be fully queryable?
  2. What if attributes/params has a deeper map? I don’t use that myself, but I could imagine others would. As an example, I added last_login as an array. Maybe someone wants to search for all users on desktop who last logged in the past 1 week.
{
  "pid": "#PID<0.52431.0>",
  "time": "2024-04-15T15:52:07.533725Z",
  "level": "info",
  "ip": "66.42.26.1",
  "region": "dfw",
  "user_id": 123,
  "guid": "121268d4-953c-4015-8540-ac0e560077a5",
  "event": "device",
  "params": {
    "height": 820,
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15",
    "width": 1440,
    "last_login": [1234, 5678]
  }
}
22

If params goes into the body in the following query, would that be fully queryable?

First, we need to define “fully queryable.” If you mean the ability to run analytics/aggregation queries, it won’t work. You will need to put the params in the attributes field to run term aggregations on the field attributes.params.last_login. This will allow you to retrieve all IDs. You will also be able to filter logs for a specific user ID with attributes.params.last_login:1234.

In your case, you probably want to put almost all your fields in the attributes fields like this:

{
  "time": "2024-04-15T15:52:07.533725Z",
  "severity_text": "info",
  "attributes": {
    "pid": "#PID<0.52431.0>",
      "ip": "66.42.26.1",  
      "region": "dfw",
      "user_id": 123,
      "guid": "121268d4-953c-4015-8540-ac0e560077a5",
      "event": "device",
      "params": {
        "height": 820,
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15",
        "width": 1440,
        "last_login": [1234, 5678]
      }
   }
}
1 Like