Skip to content

Instantly share code, notes, and snippets.

@megastef

megastef/patterns.yml

Created May 5, 2017 09:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save megastef/f1f478f55f80aed743320383254d0559 to your computer and use it in GitHub Desktop.
Save megastef/f1f478f55f80aed743320383254d0559 to your computer and use it in GitHub Desktop.
Download ZIP
Example process JSON from journald before shipping with Sematext Docker Agent or Logagent
Raw
patterns.yml
json:
enabled: true
removeFields:
- __CURSOR
- __MONOTONIC_TIMESTAMP
- _TRANSPORT
- JOURNAL_NAME
- JOURNAL_PATH
- CURRENT_USE
- CURRENT_USE_PRETTY
- MAX_USE
- MAX_USE_PRETTY
- DISK_KEEP_FREE
- DISK_KEEP_FREE_PRETTY
- DISK_AVAILABLE_PRETTY
- DISK_AVAILABLE
- LIMIT
- LIMIT_PRETTY
- AVAILABLE
- AVAILABLE_PRETTY
- _CAP_EFFECTIVE
- _SYSTEMD_SLICE
unitFilter: !!js/regexp /.*/i
transform: !!js/function >
function (sourceName, parsed, config) {
# in Sematext Docker Agent source name is a combination
# of image_name_container_name use e.g. sourceName.test(/myimageName/) to filter for
# specific applications that log in JSON
if (parsed['_SYSTEMD_UNIT']) {
if (!config.unitFilter.test(parsed['_SYSTEMD_UNIT'])) {
parsed.logagentDropMessage = true
return
}
parsed.logSource = parsed['_SYSTEMD_UNIT'].replace('.service','')
}
parsed['@timestamp'] = new Date(Number(parsed['_SOURCE_REALTIME_TIMESTAMP']))
for (var i=0; i<config.removeFields.length; i++) {
delete parsed[config.removeFields[i]]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment