Common Gotchas

Tips and tricks

A few common log patterns may cause unexpected behavior with AutoExtract:

• Use of colons: Because the text word: value is treated as a field value for word, this can cause some patterns to have a value. For example, something happened here: some details will cause the field here to be extracted with the value some.

  • To avoid this gotcha, use ., :: or another separator that isn't : or = (for example, |). For example: something happened here. some details or something happened here|some details.

  • As a special case, "category labels" that appear at the start of a log message (e.g., MyModule: SubLayer: the rest of my log event) are properly extracted as you would expect.

• No whitespace after the end of a sentence: One of the conventions is that if there is a word followed by a parenthetical value (e.g., field(some value)), it extract this as a field. This could be unexpected if you have a log message with some explanatory text, and some additional context in parentheses that is not actually a field value (e.g., some sentence(hello world)).

  • To avoid a field association, make sure there is a space or punctuation after the sentence (e.g., some sentence (hello world)).

Here's an example log line that demonstrates these common gotchas. Try adjusting the example to avoid the unexpected behaviors:

module: submodule: something happened: some sentence(hello world)

Unsupported formats

If your log data is structured but is not detected by AutoExtract, give us feedback. You can also use client-side transformations in the log forwarding agent (e.g., using a Vector agent and its VRL feature) to shape the data as needed.