Log Event

Description

A log event is a structured represention of a point-in-time event. It contains an arbitrary set of fields (key/value pairs) that describe the event.

Schema

{
"my-key": "my-value",
"host": "my.host.com",
"message": "<13>Feb 13 20:07:26 74794bfb6795 root[8539]: i am foobar",
"timestamp": "2019-11-01T21:15:47+00:00"
}
4 items
*optional

[key]

In addition to the defined fields, you are welcome to add your own fields.

No default
View examples
stringoptional

host

Represents the originating host of the log. This is commonly used in sources but can be overridden via the host_field option for relevant sources.

No default
View examples
stringrequired

message

Represents the log message. This is the key used when ingesting raw string data.

No default
View examples
timestamprequired

timestamp

A normalized Rust DateTime struct in UTC. See Timestamp Coercion for more info.

No default
View examples

Components

View all log compatible components

How It Works

Time Zones

If Vector receives a timestamp that does not contain timezone information Vector assumes the timestamp is in local time, and will convert the timestamp to UTC from the local time. It is important that the host system contain time zone data files to properly determine the local time zone. This is typically installed through the tzdata package. See issue 551 for more info.

Timestamp Coercion

There are cases where Vector interacts with formats that do not have a formal timestamp defintion, such as JSON. In these cases, Vector will ingest the timestamp in it's primitive form (string or integer). You can then coerce the field into atimestamp using the coercer transform. If you are parsing this data out of a string, all Vector parser transforms include a types option, allowing you to extract and coerce in one step.

Types

Strings

Strings are UTF8 compatible and are only bounded by the available system memory.

Ints

Integers are signed integers up to 64 bits.

Floats

Floats are signed floats up to 64 bits.

Booleans

Booleans represent binary true/false values.

Timestamps

Timestamps are represented as DateTime Rust structs stored as UTC.