normalize

(The interceptor will no longer be maintained in the future, and it is recommended to replace it with a transformer)

Used for log segmentation.
Source interceptor. Can be specified to be used only by certain sources.

processors

fieldtyperequireddefaultdescription
processorsarraytruenoneList of all processors

The configured processors will be executed in order.

Tips

Loggie supports using a.b to refer to nested fields. For example:

  1. {
  2.   "fields": {
  3.     "hello": "world"
  4.   }
  5. }

The following processor can use fields.hello to specific hello: world inside fields.

addMeta

By default, Loggie does not add any internal system information to the raw data. By addMeta, the built-in fields of the system can be added and sent to the downstream.

Note

Please note that configuring addMeta in a pipeline will only affect all data sent by the pipeline. If you need the interceptor to take effect globally, please configure normalize.addMeta in defaults.

  1. loggie:
  2.   defaults:
  3.     interceptors:
  4.     - type: normalize
  5.       name: global
  6.       processors:
  7.        - addMeta: ~
fieldtyperequireddefaultdescription
targetstringfalsemetaThe field name of the system built-in field added to the event

regex

Regularly extract the specified field.

fieldtyperequireddefaultdescription
regex.patternstringtruenoneregular parsing rules
regex.targetstringfalsebodytarget field of regular parsing
regex.ignoreErrorboolfalsefalsewhether to ignore errors

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - regex:
  5.       pattern: '(?<ip>\S+) (?<id>\S+) (?<u>\S+) (?<time>\[.*?\]) (?<url>\".*?\") (?<status>\S+) (?<size>\S+)'

Using the above regular expression, the log of the following example can be converted from:

  1. 10.244.0.1 - - [13/Dec/2021:12:40:48 +0000] "GET / HTTP/1.1" 404 683

to:

  1. "ip": "10.244.0.1",
  2. "id": "-",
  3. "u": "-",
  4. "time": "[13/Dec/2021:12:40:48 +0000]",
  5. "url": "\"GET / HTTP/1.1\"",
  6. "status": "404",
  7. "size": "683"

When configuring the specific configuration, it is recommended to use some regular debugging tools (https://regex101.com/) to verify whether it works.

jsonDecode

Parse the specified field json.

fieldtyperequireddefaultdescription
jsonDecode.targetstringfalsebodyThe target field of json decode
jsonDecode.ignoreErrorboolfalsefalsewhether to ignore errors

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - jsonDecode: ~

split

Extract the specified field with a delimiter.

fieldtyperequireddefaultdescription
split.targetstringfalsebodytarget field for split
split.separatorstringtruenonedelimiter
split.maxintfalse-1The maximum number of fields obtained by dividing by the delimiter
split.keysstring arraytruenoneThe key corresponding to the segmented field
split.ignoreErrorboolfalsefalsewhether to ignore errors

Example

base

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - split:
  5.       separator: '|'
  6.       keys: ["time", "order", "service", "price"]

Using the above split configuration can convert the log from:

  1. 2021-08-08|U12345|storeCenter|13.14

to:

  1. "time": "2021-08-08"
  2. "order": "U12345"
  3. "service": "storeCenter"
  4. "price": 13.14

max

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - split:
  5.       separator: ' '
  6.       max: 2
  7.       keys: ["time", "content"]

By adding max, you can control the fields that are split at most. For example the following log:

  1. 2021-08-08 U12345 storeCenter 13.14

It can be converted by the above configuration as:

  1. "time": "2021-08-08"
  2. "content": "U12345 storeCenter 13.14"

drop

Discards the specified field.

fieldtyperequireddefaultdescription
drop.targetsstring arraytruenonefield dropped

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - drop:
  5.       targets: ["id", "body"]

rename

Rename the specified field.

fieldtyperequireddefaultdescription
rename.convertarraytruenone
rename.convert[n].fromstringtruenonetarget of rename
rename.convert[n].tostringtruenonenew name

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - rename:
  5.       convert:
  6.       - from: "hello"
  7.         to: "world"

add

Add fields.

fieldtyperequireddefaultdescription
add.fieldsmaptruetruenew key:value

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - add:
  5.       fields:
  6.         hello: world

convert

Field type conversion.

fieldtyperequireddefaultdescription
convert.convertarraytruenone
convert.convert[n].fromstringtruenonefield to be converted
convert.convert[n].tostringtruenoneThe converted type, which can be: “bool”, “integer”, “float”

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - convert:
  5.       convert:
  6.       - from: count
  7.         to: float

copy

Field copy.

fieldtyperequireddefaultdescription
copy.convertarraytruenone
copy.convert[n].fromstringtruenonefield to be copied
copy.convert[n].tostringtruenonenew name

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - copy:
  5.       convert:
  6.       - from: hello
  7.         to: world

underRoot

Put all the fields in the key:value outermost layer of the event.

fieldtyperequireddefaultdescription
underRoot.keysstring arraytruenonefield that requires underRoot

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - underRoot:
  5.       keys: ["fields"]

timestamp

Convert time format.

fieldtyperequireddefaultdescription
timestamp.convertarraytruenone
timestamp.convert[n].fromstringtruenonefield to be converted
timestamp.convert[n].fromLayoutstringtruenonespecify the time format of the field (golang form)
timestamp.convert[n].toLayoutstringtruenonethe converted time format (golang form). can also beunix and unix_ms.
timestamp.convert[n].toTypestringfalsenonefield type of converted time
timestamp.convert[n].localboolfalsefalsewhether to convert the parsed time to the current time zone

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - timestamp:
  5.       convert:
  6.       - from: logtime
  7.         fromLayout: "2006-01-02T15:04:05Z07:00"
  8.         toLayout: "unix"

For time in golang form, please refer to:

  1. const (
  2.     Layout      = "01/02 03:04:05PM '06 -0700" // The reference time, in numerical order.
  3.     ANSIC       = "Mon Jan _2 15:04:05 2006"
  4.     UnixDate    = "Mon Jan _2 15:04:05 MST 2006"
  5.     RubyDate    = "Mon Jan 02 15:04:05 -0700 2006"
  6.     RFC822      = "02 Jan 06 15:04 MST"
  7.     RFC822Z     = "02 Jan 06 15:04 -0700" // RFC822 with numeric zone
  8.     RFC850      = "Monday, 02-Jan-06 15:04:05 MST"
  9.     RFC1123     = "Mon, 02 Jan 2006 15:04:05 MST"
  10.     RFC1123Z    = "Mon, 02 Jan 2006 15:04:05 -0700" // RFC1123 with numeric zone
  11.     RFC3339     = "2006-01-02T15:04:05Z07:00"
  12.     RFC3339Nano = "2006-01-02T15:04:05.999999999Z07:00"
  13.     Kitchen     = "3:04PM"
  14.     // Handy time stamps.
  15.     Stamp      = "Jan _2 15:04:05"
  16.     StampMilli = "Jan _2 15:04:05.000"
  17.     StampMicro = "Jan _2 15:04:05.000000"
  18.     StampNano  = "Jan _2 15:04:05.000000000"
  19. )

It can also be modified according to requirements.

fmt

Reformat field contents. Combination and formatting according to other field contents are supported.

fieldtyperequireddefaultdescription
fmt.fieldsmaptruenoneThe key represents the field name that needs to be formatted, and the value is the content that needs to be formatted. ${} can be used to express the value of a field.

Example

  1. interceptors:
  2. - type: normalize
  3.   processors:
  4.   - fmt:
  5.       fields:
  6.         d: new-${a.b}-${c}