Tokenizer Transform

The Vector tokenizer transform tokenizes a field's value by splitting on white space, ignoring special wrapping characters, and zip the tokens into ordered field names.

Configuration

[transforms.my_transform_id]
# General
type = "tokenizer" # required
inputs = ["my-source-or-transform-id"] # required
drop_field = true # optional, default
field = "message" # optional, default
field_names = ["timestamp", "level", "message", "parent.child"] # required
# Types
types.status = "int" # example
types.duration = "float" # example
types.success = "bool" # example
types.timestamp_iso8601 = "timestamp|%F" # example
types.timestamp_custom = "timestamp|%a %b %e %T %Y" # example
types.timestamp_unix = "timestamp|%F %T" # example
types.parent.child = "int" # example
  • commonoptionalbool

    drop_field

    If true the field will be dropped after parsing.

    • Default: true
    • View examples
  • commonoptionalstring

    field

    The log field to tokenize.

    • Default: "message"
    • View examples
  • commonrequired[string]

    field_names

    The log field names assigned to the resulting tokens, in order.

    • View examples
  • commonoptionaltable

    types

    Key/value pairs representing mapped log field names and types. This is used to coerce log fields from strings into their proper types. The available types are listed in the Types list below.

    Timestamp coercions need to be prefaced with timestamp|, for example "timestamp|%F". Timestamp specifiers can use either of the following:

    1. One of the built-in-formats listed in the Timestamp Formats table below.
    2. The time format specifiers from Rust's chrono library.

    Types

    • array
    • bool
    • bytes
    • float
    • int
    • map
    • null
    • timestamp (see the table below for formats)

    Timestamp Formats

    FormatDescriptionExample
    %F %TYYYY-MM-DD HH:MM:SS2020-12-01 02:37:54
    %v %TDD-Mmm-YYYY HH:MM:SS01-Dec-2020 02:37:54
    %FT%TISO 8601[RFC
    3339](https://tools.ietf.org/html/rfc3339) format without time zone

    2020-12-01T02:37:54 %a, %d %b %Y %T | RFC 822/2822 without time zone | Tue, 01 Dec 2020 02:37:54 %a %d %b %T %Y | date command output without time zone | Tue 01 Dec 02:37:54 2020 %a %b %e %T %Y | ctime format | Tue Dec 1 02:37:54 2020 %s | UNIX timestamp | 1606790274 %FT%TZ | ISO 8601/RFC 3339 UTC | 2020-12-01T09:37:54Z %+ | ISO 8601/RFC 3339 UTC with time zone | 2020-12-01T02:37:54-07:00 %a %d %b %T %Z %Y | date command output with time zone | Tue 01 Dec 02:37:54 PST 2020 %a %d %b %T %z %Y| date command output with numeric time zone | Tue 01 Dec 02:37:54 -0700 2020 %a %d %b %T %#z %Y | date command output with numeric time zone (minutes can be missing or present) | Tue 01 Dec 02:37:54 -07 2020

    Note: the examples in this table are for 54 seconds after 2:37 am on December 1st, 2020 in Pacific Standard Time.

Telemetry

This component provides the following metrics that can be retrieved through the internal_metrics source. See the metrics section in the monitoring page for more info.

  • counter

    processing_errors_total

    The total number of processing errors encountered by this component. This metric includes the following tags:

    • component_kind - The Vector component kind.

    • component_name - The Vector component ID.

    • component_type - The Vector component type.

    • error_type - The type of the error

    • instance - The Vector instance identified by host and port.

    • job - The name of the job producing Vector metrics.

  • counter

    processed_events_total

    The total number of events processed by this component. This metric includes the following tags:

    • component_kind - The Vector component kind.

    • component_name - The Vector component ID.

    • component_type - The Vector component type.

    • file - The file that produced the error

    • instance - The Vector instance identified by host and port.

    • job - The name of the job producing Vector metrics.

  • counter

    processed_bytes_total

    The total number of bytes processed by the component. This metric includes the following tags:

    • component_kind - The Vector component kind.

    • component_name - The Vector component ID.

    • component_type - The Vector component type.

    • instance - The Vector instance identified by host and port.

    • job - The name of the job producing Vector metrics.

Examples

Given the following Vector event:

{
"log": {
"message": "5.86.210.12 - zieme4647 [19/06/2019:17:20:49 -0400] \"GET /embrace/supply-chains/dynamic/vertical\" 201 20574"
}
}

And the following configuration:

[transforms.tokenizer]
type = "tokenizer"
field = "message"
field_names = ["remote_addr", "ident", "user_id", "timestamp", "message", "status", "bytes"]
types.timestamp = "timestamp"
types.status = "int"
types.bytes = "int"

The following Vector log event will be output:

{
"remote_addr": "5.86.210.12",
"user_id": "zieme4647",
"timestamp": "19/06/2019:17:20:49 -0400",
"message": "GET /embrace/supply-chains/dynamic/vertical",
"status": 201,
"bytes": 20574
}

How It Works

Blank Values

Both " " and "-" are considered blank values and their mapped fields will be set to null.

Special Characters

In order to extract raw values and remove wrapping characters, we must treat certain characters as special. These characters will be discarded:

  • "..." - Quotes are used tp wrap phrases. Spaces are preserved, but the wrapping quotes will be discarded.
  • [...] - Brackets are used to wrap phrases. Spaces are preserved, but the wrapping brackets will be discarded.
  • \ - Can be used to escape the above characters, Vector will treat them as literal.