Skip to main content

Supported Data Types

📘 Logs

Configuring the Sawmills Parse Log Processor

The Sawmills Parse Log Processor enables you to extracts structured data from unstructured log messages using regex patterns with named capture groups. This enables you to parse your logs into more readable and queryable fields.

Configuration Components

1. Name

  • Description: Identifier for your processor. Use a unique and descriptive name to differentiate between multiple processors.

2. Attribute Filters

  • Conditions: Specify conditions to filter events before processing. Events must satisfy all conditions (AND) or at least one (OR) based on the selected logic.
Each condition follows this sequence:
  1. Choose the condition type:
    • Log Level (Severity)
    • Body as String
  2. Select a comparison operator:
    • Equals / Not Equals
  3. Provide a value:
    • Log Level: Select from a dropdown (INFO, WARN, ERROR, etc.).
    • Body as String: Enter a free-text value for matching.

3. Source Field

  • Description: Defines which field to parse the data from.

4. Extraction Pattern

  • Regex: Use (?P<name>...) syntax to define a regex with at least one named capture group. The name determines the new attribute name.
  • Grok: Use ${PATTERN:name} syntax to define fields. The name after the colon determines the new attribute name.
Select a log line in Live Tail and use Generate Regex/Grok Pattern to auto-generate this pattern.
If the extracted named group matches an existing key, the existing value will be replaced by the parsed value.

5. Target Location

  • Description: Specifies where to store the extracted data.
    • Attributes: Stores extracted fields in Attributes.
    • Body: Stores extracted fields in log body (creates or updates map structure)
Extracting to Resource Attributes is not supported.

6. Target Key (optional)

  • Description: Specify a key to store all extracted fields as a nested map under that key
    • If omitted, extracted fields are merged directly into the target location.
    • If provided, extracted fields become a nested map under the given key.

Insertion Behavior

  • Root Level (No Target Key): Extracted fields will be upserted into current attributes map or body map if body is structured.
  • Sub Level (Target Key Specified): Extracted fields are stored under the specified key as a nested map.
If the body is unstructured and the target is the body (with or without target key), the extracted fields will replace the body entirely.