Free Report! Gartner® Hype Cycle™ for Monitoring and Observability.Read more

Extract Metric


The Extract Metric Processor can look at all logs matching a filter, extract a numerical value from a field, and then create a metric with that value. Both the name and units of the created metric can be configured. Additionally, fields from matching logs can be preserved as metric attributes.

Supported Types


Supported Agent Versions



matchstringtrueA boolean expression used to match which logs to count. By default, all logs are counted.
pathstringA boolean expression used to specify the field to extract from a matching log.
metric_namestringlog.countThe name of the metric created.
metric_unitsstring{logs}The unit of the metric created. See Unified Code for Units of Measure for available units.
attributesmap{}The mapped attributes of the metric created. Each key is an attribute name. Each value is an expression that extracts data from the log.

Expression Language

In order to match or extract values from logs, the following keys are reserved and can be used to traverse the logs data model.

bodyUsed to access the body of the log.
attributesUsed to access the attributes of the log.
resourceUsed to access the resource of the log.
severity_enumUsed to access the severity enum of the log.
severity_numberUsed to access the severity number of the log.

In order to access embedded values, use JSON dot notation. For example, body.example.field can be used to access a field two levels deep on the log body.

However, if a key already possesses a literal dot, users will need to use bracket notation to access that field. For example, when the field exists on the log's resource, users will need to use resource[""] to access this value.

For more information about syntax and available operators, see the Expression Language Definition.

Example Configurations

Default Configuration

By default, all logs collected by the source will be counted, with the value used to create a new metric called log.count with the unit of {logs}.

Break Down HTTP Request Durations by Status

In this configuration, we want to parse our HTTP server logs to create metrics representing how long each request took, broken down by status code. Our logs are JSON with the following structure:

2  "level": "warn",
3  "host": "",
4  "datetime":"2022-12-02T10:21",
5  "duration": 122,
6  "method": "POST",
7  "request": "/api/v1/apply",
8  "protocol": "HTTP/1.1",
9  "status": 200

The match expression will exclude all logs without a status code in its body:

1body.duration != nil

Our path expression will be the path to the duration field of the body, which we know is the request duration in milliseconds.


We'll name this metric http.request.duration, then we'll use the status code for the status_code metric attribute on the created metric:

2  status_code: body.status
observIQ docs - Extract Metric - image 1