Log Event
Description
A log event is a structured represention of a point-in-time event. It contains
an arbitrary set of fields (key/value pairs) that describe the event.
Examples
- Default Schema
- Custom Fields
- Nested Fields
{"host": "my.host.com","message": "<13>Feb 13 20:07:26 74794bfb6795 root[8539]: i am foobar","timestamp": "2019-11-01T21:15:47+00:00"}
Schema
[key]
In addition to the defined fields, you are welcome to add your own fields.
host
Represents the originating host of the log. This is commonly used in sources but can be overridden via the host_field option for relevant sources.
message
Represents the log message. This is the key used when ingesting raw string data.
timestamp
A normalized Rust DateTime struct in UTC. See Timestamp Coercion for more info.
Components
How It Works
Time Zones
If Vector receives a timestamp that does not contain timezone information
Vector assumes the timestamp is in local time, and will convert the timestamp
to UTC from the local time. It is important that the host system contain
time zone data files to properly determine the local time zone. This is
typically installed through the tzdata package. See issue 551
for more info.
Timestamp Coercion
There are cases where Vector interacts with formats that do not have a formal
timestamp defintion, such as JSON. In these cases, Vector will ingest the
timestamp in it's primitive form (string or integer). You can then coerce the
field into a timestamp using the
coercer transform. If you are parsing this data
out of a string, all Vector parser transforms include a types option,
allowing you to extract and coerce in one step.
Types
Strings
Strings are UTF8 compatible and are only bounded by the available system memory.
Ints
Integers are signed integers up to 64 bits.
Floats
Floats are signed floats up to 64 bits.
Booleans
Booleans represent binary true/false values.
Timestamps
Timestamps are represented as DateTime Rust structs
stored as UTC.