Parse and Query JSON Logs

Learn how to parse and query JSON logs.

Parse JSON Logs

When ingesting logs, Kloudfuse automatically detects the JSON language code and extracts log facets.

The practical default limit for the number of facets that a single log line produce is 50. When there is more than 50 possible facets (over limit), facet extraction may fail.

To increase the limit, override the configuration.

Increase Number of Possible Facets to 100

logs-parser:
  - skipAutoFacet:
      args:
        maxFacetsCount: 100 (1)

1	`maxFacetsCount`: Increase maximum number of facets extracted from a log line to 100.

You can also add a condition that the rule apply only to log lines that match a specific condition; see Parsing configuration example.

Parsing Example

Consider the following log line:

Extract Facets from a JSON Log Line

{
  "timestamp": "2021-09-01T00:00:00.000Z",
  "level": "INFO",
  "message": "User logged in",
  "user-name": "john.doe",
  "aliases" : ["johndoe", "johnny"],
  "location" : {
    "city": "San Francisco",
    "state": "California"
  }
}

Kloudfuse "flattens" facet names to use _ (the underscore character) to join nested fields. It also extracts the aliases field as a string.

The extracted facets are timestamp, level, message, user_name, location_city, location_state, and aliases.

Logs Parsing Example for JSON

Query JSON Logs

After a successful ingestion, you can use the Logs Explorer to search the log lines using the extracted facets. See Facet search for logs.