Log Event

Description

A Vector log event is a structured representation of a point-in-time event. It contains an arbitrary set of fields that describe the event.

A key tenet of Vector is to remain schema neutral. This ensures that Vector can work with any schema, supporting legacy and future schemas as your needs evolve. Vector does not require any specific fields, and each component will document the fields it provides.

Schema

example log event
{
  "log":{
    "custom":"field",
    "host":"my.host.com",
    "message":"Hello world",
    "timestamp":"2020-11-01T21:15:47+00:00"
  }
}
  • commonoptional*

    *

    An arbitrary set of key/value pairs that can be infinitely nested.

    Components

    View all log compatible components

    How It Works

    Schemas

    Vector is schema-neutral and does not require any specific schema. This ensures that Vector can work with a variety of schemas, supporting legacy schemas as well as future schemas.

    Vector does plan to implement a common information model that would recognize popular schemas, allowing you to seamlessly transform between schemas. You can track progress on this work in issue 3910.

    Types

    Strings

    Strings are UTF-8 compatible and are only bounded by the available system memory.

    Integers

    Integers are signed integers up to 64 bits.

    Floats

    Floats are 64-bit IEEE 754 floats.

    Booleans

    Booleans represent binary true/false values.

    Timestamps

    Timestamps are represented as DateTime Rust structs stored as UTC.

    Timestamp Coercion

    There are cases where Vector interacts with formats that do not have a formal timestamp definition, such as JSON. In these cases, Vector will ingest the timestamp in its primitive form (string or integer). You can then coerce the field into a timestamp using the coercer transform. If you are parsing this data out of a string, all Vector parser transforms include a types option, allowing you to extract and coerce in one step.

    Time Zones

    If Vector receives a timestamp that does not contain timezone information Vector assumes the timestamp is in local time, and will convert the timestamp to UTC from the local time.

    Null Values

    For compatibility with JSON log events, Vector also supports null values.

    Maps

    Maps are associative arrays mapping string fields to values of any type.

    Arrays

    Array fields are sequences of values of any type.

    Contents
    Resources