forked from pivotal-cf/docs-logsearch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
search-guide.html.md.erb
82 lines (80 loc) · 2.91 KB
/
search-guide.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
title: PCF Log Search Tags Dictionary
owner: London Services
---
The following table lists the generated tags that Log Search provides. Log Search attaches these tags when it recognizes that the data belongs to a common log field category. These tags appear at the top of the **Available Fields** list in Kibana, above the raw keys from the source JSON logs sent to Log Search. You can use these tags to to [filter data](./using.html#get-started) and more effectively search your logs.
<table id='log-search-tags' border='1' class='nice'>
<col width="25%">
<col width="35%">
<col width="40%">
<tr>
<th>Tag</th>
<th>Description</th>
<th>Example Value</th>
</tr>
<tr>
<td>@level</td>
<td>Severity level of the message</td>
<td>Can be one of: <code>DEBUG</code>, <code>INFO</code>, <code>WARN</code>, <code>ERROR</code> or <code>FATAL</code></td>
</tr>
<tr>
<td>@message</td>
<td>Unparsed, human readable text of log. May be empty if all data parses into separate fields</td>
<td><code>Switchboard.Error routing to backend</code></td>
</tr>
<tr>
<td>@raw</td>
<td>Unparsed log message</td>
<td><code><139>2016-01-28T21:17:52.856995+00:00
10.0.16.11 switchboard [job=proxy-
partition-e3353cc4ddedf43fa7a6 index=0]
{"timestamp":"1454015872.856954575","source":
"Switchboard","message":"Switchboard.Error
routing to backend","log_level":2,"data":
{"error":"No active Backend"}}`</code></td>
</tr>
<tr>
<td>@source.deployment</td>
<td>Name of deployment cluster log is from. For example, bosh deployment or tile name</td>
<td><code>CF</code> if from a Cloud Foundry job, or <code>logsearch</code> if from a logsearch job</td>
</tr>
<tr>
<td>@source.host</td>
<td>Guid of the container running the app. Defaults to @source.ip if not applicable</td>
<td>From a container: <code>4138q23c-1v2c-4a21-9szbc-4b37c11fda0b</code>. From a VM: <code>10.0.1.10</code></td>
</tr>
<tr>
<td>@source.index</td>
<td>Instance of source component job</td>
<td><code>0</code></td>
</tr>
<tr>
<td>@source.ip</td>
<td>IP address of the origin VM</td>
<td><code>10.0.1.10</code></td>
</tr>
<tr>
<td>@source.job</td>
<td>Name of source component</td>
<td>In a Log Search deployment: <code>elasticsearch_data</code>, <code>elasticsearch_master</code>, <code>kibana</code>, etc.</td>
</tr>
<tr>
<td>@source.program</td>
<td>Program emitting the logs</td>
<td><code>cloud_controller_ng</code></td>
</tr>
<tr>
<td>@source.vm</td>
<td>Combination of @source.job and @source.index</td>
<td><code>elasticseach_data/0</code></td>
</tr>
<tr>
<td>@timestamp</td>
<td>Parsed timestamp of log message, in UTC. Defaults to parse time. Overridden by <code>syslog_timestamp</code>, or timestamp pulled from specific log message</td>
<td><code>2015-11-18T15:00:04.896Z</code></td>
</tr>
<tr>
<td>@timestamp_ns</td>
<td>Nanoseconds since Unix Epoch. Not all logs include nanosecond precision.</td>
<td>For a timestamp of <code>1463503340.250173807</code>, @timestamp_ns is <code>173,807</code></td>
</tr></table>