You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've got a problem that I'm not sure how to solve. We are shipping our application logs using opentelemetry-collector-contrib to Coralogix. The problem is all of our logs are wrapped into logRecord.body nested fields, which are then laborious to use in Coralogix. It would mean all of our queries to the log index would need to include that prefix. Such as WHERE logRecord.body.env = 'prod' AND logRecord.body.foo = 'bar'... I see no value adding this extra noise (i.e. if we are searching for logs, I don't want to always have logRecord.body.* prefix for every single field)
Currently we use filelog receiver to parse the logs, and the exported log records are something like this:
Is there a possibility to remove this nesting altogether?
Or is this something that Coralogix should handle automatically? Full disclosure: there is support for extracting e.g. logRecord.body into the "root of the record", but with our amount of logs it would add significant extra costs just to remove this nesting on Coralogix's side.
Any other thoughts? Am I fighting against the windmills here; meaning I should not even be getting rid of the nested structure (even-though it would make search usability on Coralogix much more tedious)?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi! 👋
I've got a problem that I'm not sure how to solve. We are shipping our application logs using
opentelemetry-collector-contribto Coralogix. The problem is all of our logs are wrapped intologRecord.bodynested fields, which are then laborious to use in Coralogix. It would mean all of our queries to the log index would need to include that prefix. Such asWHERE logRecord.body.env = 'prod' AND logRecord.body.foo = 'bar'... I see no value adding this extra noise (i.e. if we are searching for logs, I don't want to always havelogRecord.body.*prefix for every single field)Currently we use
filelogreceiver to parse the logs, and the exported log records are something like this:{ "logRecord": { "observedTimeUnixNano": 1743076727935045000, "body": { "logger_name": "org.example.HelloWorld", "level": "INFO", "message": "Hello, World!", "env": "dev" }, "attributes": { "log.file.name": "helloworld.ndjson" } }, "resource": { "attributes": { "host.name": "helloworld.example.org", "os.type": "linux" } }, "scope": { "attributes": {} }, "resourceSchemaUrl": "https://opentelemetry.io/schemas/1.6.1" }logRecord.bodyinto the "root of the record", but with our amount of logs it would add significant extra costs just to remove this nesting on Coralogix's side.Any other thoughts? Am I fighting against the windmills here; meaning I should not even be getting rid of the nested structure (even-though it would make search usability on Coralogix much more tedious)?
Beta Was this translation helpful? Give feedback.
All reactions