Skip to content

Instantly share code, notes, and snippets.

@jplsightm
Created October 14, 2020 20:13
Show Gist options
  • Save jplsightm/32677cc4f654993b2c1dc46f4d56b001 to your computer and use it in GitHub Desktop.
Save jplsightm/32677cc4f654993b2c1dc46f4d56b001 to your computer and use it in GitHub Desktop.
Datadog Message Remapping

Enabling message search and pattern recognition with JSON logs in Datadog

It is generally recomended that logs sent to Datadog should be in a json format. This allows for attributes to be easily identified and thus avoids the need to created (what at times can be complex) grok processors. These attributes are important, because you can then create facets to help you identify the logs that are important to you without needing to understand a complex query langauge. The challenge with this is that the message of the log does not appear to be available. This can be easily resolved using the Message Remapper.

Setup and defining the problem.

I have created some sample logs that I am forwarding onto Datadog. A sample of how these logs look can be found below:

{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "testing for the win, 10"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "testing for the win, 10"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "here_we_are for the win, 2"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "testing for the win, 10"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "b_computer", "text": "4 - what now"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "testing for the win, 10"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "a_computer", "text": "here_we_are for the win, 2"}
{"attribute": "abc", "timestamp": "10/14/2020, 14:15:04", "host": "b_computer", "text": "4 - what now"}

These logs will look like this:

To ensure that the logs have a message we will apply a Message Remaper. This is done by going to the log pipeline configuration page. You will then want to navigate the pipeline in question. In this instance the Message Remaper was placed at the end of the pipeline. The image below shows how this was configured, where the text attribute will not be the log message:

Note that text is no longer an attribute and the log message is need in the message box.

The image below showcases how the logs will look in the log search page. The message will be remapped for all logs going forward.

The message remaper applies to the logs up top. The logs processed before that addition are at the bottom of the screen above.

Searching and pattern recognition

With the message now set for each log you can now take advantage of the pattern search:

Additionally a free text search can be performed on the message:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment