On Mon, 19 Jun 2023, Kjetil Torgrim Homme wrote:
we are using Vector to inject log files in ElasticSearch, and it has built-in support for turning k=v pairs into JSON documents for indexing and storage. it would be nice if the quoting technique used was compatible with this (I think it is, but haven't checked closely.)
It is.
Elasticsearch has tried to come up with standards for field names for easier analysis across products, Elastic Common Schema. take a look at https://www.elastic.co/guide/en/ecs/current/ecs-reference.html
the problem (or nice thing) with standards is that there are so many to chose from :-)
Elastic has one, Splunk has a different one, etc. If the product is consistant, then it can get mapped to whatever you want, too much of the time the products logs are NOT consistant and the mapping for the same field name varies from place to place in the product (based on the mindset of the developer when writing the log out in a particular area)
David Lang ------------------------------------------ Cyrus: Devel Permalink: https://cyrus.topicbox.com/groups/devel/T4f31bdf24bafdf26-M302cb83ec82d66dd7f4ab520 Delivery options: https://cyrus.topicbox.com/groups/devel/subscription
