Event Timeline
Comment Actions
This is the result of parsing a php-fpm slowlog trace. This is obtained as follows:
- Read the input file with imfile's readMode set to 1, so that multiline messages are compacted for paragraphs
- Apply the following normalizing rule
version=2
rule=:%[
{"type": "literal", "text": "["},
{"name": "date", "type": "char-to", "extradata": "]"},
{"type": "literal", "text": "] [pool"},
{"name": "pool","type": "char-to", "extradata": "]"},
{"type": "literal", "text": "] pid "},
{"name": "pid", "type": "number"},
{"type": "literal", "text": "#012"},
{"type": "literal", "text": "script_filename = "},
{"name": "script_filename", "type": "char-to", "extradata": "#"},
{"type": "literal", "text": "#012"},
{
"name": "stacktrace",
"type": "repeat",
"while": {"type":"literal", "text":"#012"},
"parser": [
{"type": "literal", "text": "["},
{"name": "address", "type": "char-to", "extradata": "]"},
{"type": "literal", "text": "] "},
{"name": "function", "type": "word"},
{"type": "literal", "text": " "},
{"name": "file", "type": "char-to", "extradata": ":"},
{"type": "literal", "text": ":"},
{"name": "line", "type": "number"}
]
},
{"type": "literal", "text": "#"}
]%Open questions:
- Can we improve date parsing?
- Is it useful to get this to logstash? To the centralized syslog?
- Is there a message size limitation I should be aware of?
Comment Actions
ECS has built-in support for date parsing timestamp fields of varying formats.
- Is it useful to get this to logstash? To the centralized syslog?
I would venture to guess yes if it is valuable to dashboard and/or generate metrics on this data.
- Is there a message size limitation I should be aware of?
It was indicated that 1MB is well below the ES absolute maximum message size. If that's the case, it should be fine.