Skip to main content

Customizing Behavior

Per Request Customization

AutoExtract can be disabled on a per-request basis during ingestion by adjusting the following HTTP header values in the API requests made to ingest data:

  • X-No-AutoExtract: Set to 1 to disable AutoExtract and AutoClassify.
  • X-No-Detect-Category: Set to 1 to disable extraction category extraction into the category field.
  • X-No-Detect-Severity: Set to 1 to disable extraction of the severity field from the log text.
  • X-No-Detect-Timestamp: Set to 1 to disable extraction of the timestamp field from any timestamp found in the log text.
  • X-No-Remove-Timestamp-From-Message: Set to 1 to prevent removal of the text of a detected timestamp from the log text.
  • X-No-Unwrap-Raw-Json-In-Message: Set to 1 to disable JSON unwrapping in the log text.
  • X-No-AutoClassify: Set to 1 to disable AutoClassify.
  • X-Pattern-Max-Length: Set this to customize the maximum length of the automatic category set by AutoClassify
  • X-Timezone: Set this to the IANA timezone name (e.g., America/Denver) of the default timezone to use for any timestamps that do not have an explicit timezone offset. The vector.dev template configuration will have logic to automatically pass the local timezone of the vector.dev agent, so normally you should not need to specify this manually.
  • X-Severity-Map: A custom severity mapping to use in addition to standard severity mappings. A list of mappings (key=value) separated by commas to map custom severity values to standard severity values. For example: VeryBad=critical,10=TRACE,20=DEBUG,30=INFO,40=WARN,50=ERROR,60=FATAL

There are other HTTP request headers that can customize other aspects of ingestion, including GeoIP and currency conversion options.

Per Event Customization

You can disable AutoExtract on a per-event basis by setting the __autoextract_disabled field in a given event to true. This will disable all AutoExtract features for that event only.