Introduction
A customer recently asked us for a way to display the log events within 1-2 seconds of when a selected event occurred. Since these events did not have a common identifier, they were evaluated by when they occurred. The customer's log format was extremely consistent and their uploaded logs were associated with parsers that processed the timestamp
(essential when you want to utilize the time assigned to your log events by your platform on DataSet), so we opted to use Smart Links.
How Smart Links Work
In summary, Smart Links use regular expressions to extract data from your log events and apply the extracted fields to URLs. With this functionality, you can provide a link to GitHub when a stack trace error is logged, initiate Google searches, or in our case, generate links to specific DataSet searches for particular events. As previously mentioned, having consistently formatted logs is a prerequisite to using this feature. More information on Smart Links can be found here: https://app.scalyr.com/help/smart-links
Configuring Smart Links
The log lines our customer wanted to initiate the search with included a timestamp in the format
[YYYY-MM-DDTHH:MM:SS.SSS+hh:mm]
We then implemented the Smart Links configuration in our /scalyr/logs configuration file:
searchResultLinks: [ {
regex: "(\\d{4}-\\d{2}-\\d{2})T(\\d{2}:\\d{2}:)(\\d{2})(\\.\\d{3})\\+(\\d{2}:\\d{2})",
subs: [
{arg: 3, match: "1$", replace: "0"},
{arg: 3, match: "2$", replace: "1"},
{arg: 3, match: "3$", replace: "2"},
{arg: 3, match: "4$", replace: "3"},
{arg: 3, match: "5$", replace: "4"},
{arg: 3, match: "6$", replace: "5"},
{arg: 3, match: "7$", replace: "6"},
{arg: 3, match: "8$", replace: "7"},
{arg: 3, match: "9$", replace: "8"},
{arg: 3, match: "10$", replace: "09"},
{arg: 3, match: "20$", replace: "19"},
{arg: 3, match: "30$", replace: "29"},
{arg: 3, match: "40$", replace: "39"},
{arg: 3, match: "50$", replace: "49"},
{arg: 4, match: "\\d{3}", replace: "000"}, // milliseconds
{arg: 5, match: ":", replace: ""} // timezone
],
url: "https://app.scalyr.com/events?filter=&log=%2Fvar%2Flog%2Fblah.log&startTime=${1}T${2}${3}${4}%2B${5}&endTime=%2B2s"
}
]
Here's a brief explanation of what the above fields do:
regex
matches the pattern that will have a hyperlink applied to it. Additionally, fields can be extracted directly from the matching pattern data. Smart Links are applied to all log events that match theregex
field.subs
performs substitutions on the arguments that are extracted from theregex
field. In this case, seconds (arg: 3
) are decremented by 1, milliseconds (arg: 4
) are set to 0, and the timezone field (arg: 5
) is modified so it works with the DataSet search URL parameters.- You can modify the
url
parameter as needed. In this example, theurl
performs a search on the /var/log/blah.log file from thestartTime
parameter (assembled from our timestamp fields) to anendTime
of 2s later - You can apply multiple SmartLinks configurations as needed
Comments
0 comments
Please sign in to leave a comment.