Complimentary Gartner® Report! 'A CTO's Guide to Open-Source Software: Answering the Top 10 FAQs.'Read more

Extract Metric (Deprecated)

warning

This processor has been deprecated and replaced with a new Extract Metric processor that supports additional functionality. While it will continue to function, it will no longer receive any enhancements and you should migrate to the new processor. For more information about the new processor, see here.

Description

The Extract Metric Processor can look at all logs matching a filter, extract a numerical value from a field, and then create a metric with that value. Both the name and units of the created metric can be configured. Additionally, fields from matching logs can be preserved as metric attributes.

Supported Types

MetricsLogsTraces

Supported Agent Versions

v1.14.0+

Configuration

FieldTypeDefaultDescription
matchstringtrueA boolean expression used to match which logs to count. By default, all logs are counted.
pathstringA boolean expression used to specify the field to extract from a matching log.
metric_namestringlog.countThe name of the metric created.
metric_unitsstring{logs}The unit of the metric created. See Unified Code for Units of Measure for available units.
attributesmap{}The mapped attributes of the metric created. Each key is an attribute name. Each value is an expression that extracts data from the log.

Expression Language

In order to match or extract values from logs, the following keys are reserved and can be used to traverse the logs data model.

KeyDescription
bodyUsed to access the body of the log.
attributesUsed to access the attributes of the log.
resourceUsed to access the resource of the log.
severity_enumUsed to access the severity enum of the log.
severity_numberUsed to access the severity number of the log.

In order to access embedded values, use JSON dot notation. For example, body.example.field can be used to access a field two levels deep on the log body.

However, if a key already possesses a literal dot, users will need to use bracket notation to access that field. For example, when the field service.name exists on the log's resource, users will need to use resource["service.name"] to access this value.

For more information about syntax and available operators, see the Expression Language Definition.


Example Configurations

Default Configuration

By default, all logs collected by the source will be counted, with the value used to create a new metric called log.count with the unit of {logs}.

Break Down HTTP Request Durations by Status

In this configuration, we want to parse our HTTP server logs to create metrics representing how long each request took, broken down by status code. Our logs are JSON with the following structure:

JSON
1{
2  "level": "warn",
3  "host": "10.0.10.0",
4  "datetime":"2022-12-02T10:21",
5  "duration": 122,
6  "method": "POST",
7  "request": "/api/v1/apply",
8  "protocol": "HTTP/1.1",
9  "status": 200
10}

The match expression will exclude all logs without a status code in its body:

expr
1body.duration != nil

Our path expression will be the path to the duration field of the body, which we know is the request duration in milliseconds.

expr
1body.duration

We'll name this metric http.request.duration, then we'll use the status code for the status_code metric attribute on the created metric:

yaml
1attributes:
2  status_code: body.status
observIQ docs - Extract Metric - image 1