This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.
Query logs in Grail.
fetch logs
The log module, in certain situations, may associate multiple process group instances with a single log.
This can occur when more than one process group instance opens a file in write mode or if there are multiple
process group instances in a single container. In such cases, the
dt.entity.process_group_instance and dt.entity.process_group
may be reported as arrays. To prepare queries for such situations, use matchesValue
instead of == for equality checks.
| Attribute | Type | Description | Examples |
|---|---|---|---|
content | string | stable Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source. | No keepalive from datasource statsd. Restarting |
dt.entity.process_group | string | resource stable The entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.Tags: entity-id | PROCESS_GROUP-E0D8F94D9065F24F |
dt.entity.process_group_instance | string | resource stable The entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.Tags: entity-id | PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F |
dt.source_entity | string[] | resource stable The entity IDs of the log's source. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks. 1Tags: entity-id | ['PROCESS_GROUP_INSTANCE-22714B95E4BF6AE0', 'PROCESS_GROUP_INSTANCE-D6DD5FF37FBEF0DF'] |
event.type | string | stable The unique type identifier of a given event. Tags: permission | LOG |
log.iostream | string | stable The I/O stream to which the log was emitted. | stdout; stderr |
log.source | string | stable Human-readable attribute that identifies a log stream. 2 Tags: permission | /var/log/messages; Windows Event Log; Docker Container Output; stdout |
loglevel | string | stable The log event severity level. | ERROR; INFO; TRACE |
ordinal | long | stable The field is used to order records produced by a single source. It is monotonically increasing across successive records, but the step between values is unspecified. The field encodes only a local (source‑specific) ordering, not a global one, so it is typically used as a secondary sort key after the timestamp to preserve the original sequence when timestamp resolution is insufficient. Examples include a byte offset within the source file or the __SEQNUM field in systemd‑journald. | 1479670 |
process.technology | string[] | stable Technologies detected for the process. | ['Java', 'Tomcat']; ['Go', 'Envoy'] |
span_id | string | experimental A unique identifier for a span within a trace. The span_id is an 8-byte id and hex-encoded if shown as a string. | f76281848bd8288c |
status | string | experimental Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed. | ERROR; WARN; INFO; NONE |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
trace_id | string | experimental A unique identifier for a trace. The trace_id is a 16-byte id and hex-encoded if shown as a string. | 357bf70f3c617cb34584b31bd4616af8 |
The value of this field will be based on the value of one of the dt.entity.<type> fields. This means that the dt.source_entity and dt.entity.<type> fields will both be set to the same ID.
Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).