Unsure if this applies to your logs? Send us a message at hello@betterstack.com!
Explore documentation
Automatic JSON extraction from strings
We automatically recognize when a field contains a generic string followed by a JSON, and we expand it so that you can search it easily.
Example of payloads Logs supports:
// Simple text string
{"message": "Hello, Logs!"}
// ... will be parsed into this
{
"message_string": "Hello, Logs!"
}
// ---
// String followed by JSON
{"message": "Nov 30 11:22:34 localdomain sudo[14170]: {\"metadata\":{\"server_name\":\"Optimus\",\"local_time_zone\":\"GMT+1\",\"created_at\":1631689974}}"
// ... will be parsed into this
{
"message_string": "Nov 30 11:22:34 localdomain sudo[14170]: ",
"message.metadata.server_name_string": "Optimus",
"message.metadata.local_time_zone_string": "GMT+1",
"message.metadata.created_at_integer": 1631689974
}
// ---
// We support this automatic JSON expansion in all string fields, e.g.
{
"request": "Started GET /api/v1/heartbeat/sUTvXxY2c6yaA91RcAkxA8c5 {\"context\":{\"thread_id\":1234,\"pid\":123},\"level\":\"INFO\"}",
"response": "204 No Content {\"context\":{\"thread_id\":1234,\"pid\":456},\"duration\":35.63}"
}
// ... will be parsed into this
{
"request_string": "Started GET api/v1/heartbeat/sUTvXxY2c6yaA91RcAkxA8c5",
"request.context.thread_id_integer": 1234,
"request.context.pid_integer": 123,
"request.level_string": "INFO",
"response_string": "204 No Content",
"response.context.thread_id_integer": 1234,
"response.context.pid_integer": 456,
"response.duration_float": 35.63
}