Automatic log enrichment
powered by Grail
Dynatrace enables you to transform logs ingested via OneAgent.
Transform the OneAgent-ingested logs
During log ingest via OneAgent, the severity of logs is determined.
Log severity
By default, the log event severity is detected through a keyword search performed on the first 100 characters of the log content, within the first two lines of text.
To adjust these limits
- In the Dynatrace menu, go to Settings.
- Select Log Monitoring > Advanced log settings.
- Adjust the following settings as needed.
- Severity search chars limit is the number of characters in each log line, starting from the first character, to search for severity.
- Severity search lines limit is the number lines in each log entry, starting from the first line, to search for severity.
There are 19 keywords that correspond with 9 severity levels as per the table below:
| Keyword | Severity level |
|---|---|
trace | DEBUG |
debug | DEBUG |
fine | DEBUG |
finer | DEBUG |
finest | DEBUG |
notice | NOTICE |
info | INFO |
information | INFO |
warn | WARN |
warning | WARN |
severe_warning | WARN |
severe | SEVERE |
err | ERROR |
error | ERROR |
crit | CRITICAL |
critical | CRITICAL |
alert | ALERT |
fatal | EMERGENCY |
emerg | EMERGENCY |
A match occurs and severity is determined when
The keyword found is a single word/phrase from the above list, and it is preceded and followed by a space.
The keyword found is a single word/phrase from the above list, and it is preceded and followed by one of the four predefined non-alphanumeric symbols, as in the example below:
[error]{error}{{error}}<error>
Transform all types of logs
Additionally, for each log event, a status attribute is created with a value that is a sum of loglevel values based on the following grouping:
Included loglevel values | Combined status attribute value |
|---|---|
|
|
|
|
|
|
|
|
For example:
The level severity key in the generic log ingestion API request parameter contains the value serious.
- The
levelseverity key is transformed into theloglevelattribute with theseriousvalue mapped toSEVEREbased on the above table. - The
loglevelattribute containing theSEVEREvalue is grouped intostatusattribute. Based on the grouping table above, thestatusattribute will contain theERRORvalue. For the log event details, the log viewer will report the following:
- status -
ERROR - loglevel -
SEVERE
Attributes added during a log ingest via OneAgent
During the log ingestion via OneAgent, the following attributes are added automatically:
General attributes (via OneAgent)
container.namecontainer.image.namecontainer.iddt.host_group.iddt.kubernetes.cluster.iddt.kubernetes.cluster.namedt.kubernetes.node.system_uuiddt.process.nameevent.typehost.namek8s.cluster.namek8s.namespace.namek8s.pod.namek8s.pod.uidk8s.container.namek8s.deployment.namelog.iostreamloglevellog.sourceprocess.technologyspan_idstatustrace_idweb_server.iis.site_idweb_server.iis.site_nameweb_server.iis.application_pool
dt entity model attributes (via OneAgent)
dt.entity.cloud_applicationdt.entity.cloud_application_instancedt.entity.cloud_application_namespacedt.entity.container_groupdt.entity.container_group_instancedt.entity.hostdt.entity.kubernetes_clusterdt.entity.kubernetes_nodedt.entity.process_groupdt.entity.process_group_instancedt.source_entity
Attributes automatically extracted from log content via OneAgent
OneAgent automatically extract attributes found in form \[!dt key1=value1, key2=value2] and the section itself is removed from content.
For instance:
1127.0.0.1 - [21/Oct/2021:10:33:28 +0200] GET /index.htm HTTP/1.1 404 597 [!dt dt.trace_id=aa764ee37ebaa764ee37eaa764ee37e, dt.span_id=b93ede8b93ede8]
will result in additional dt.trace_id and dt.span_id attributes for log record and actuall content sent will be:
1127.0.0.1 - [21/Oct/2021:10:33:28 +0200] GET /index.htm HTTP/1.1 404 597