-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add log.origin fields #563
Conversation
schemas/log.yml
Outdated
@@ -43,3 +43,28 @@ | |||
short: Name of the logger. | |||
description: > | |||
The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | |||
|
|||
- name: source.file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I worry if what we call source here will conflict with what we have in source under https://github.com/elastic/ecs/blob/master/schemas/source.yml At the same time I think some argument could be it is similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the same time I think some argument could be it is similar?
I'd say it's actually not really similar to source
. We could also rename to log.origin.*
to avoid ambiguities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on origin.
depends on elastic/ecs#563 closes elastic#3
depends on elastic/ecs#563 closes elastic#3
schemas/log.yml
Outdated
example: init | ||
short: The function which originated the log event. | ||
description: > | ||
The name of the function or method which originated the log event. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity: If it's a method, would we expect it to also indicate what class it belongs to? Something like Foo.bar
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it would just be the bar
in this case. We could, however, add an optional origin.class
for languages which support that concept.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, SGTM. Lets only add it if we already have a use case for it. But
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually do have a use case for logging. For java logging libraries, we usually get both the file name and the class name of the origin. See also https://docs.oracle.com/javase/7/docs/api/java/lang/StackTraceElement.html#getClassName().
I didn't add it at first because not all languages have the concept of a class. But when it's optional, why not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I could name quite a few that have a similar concept ;-) In the case of Golang I would also use .class
even though that is not 100% correct. @axw Hope you agree :-)
+1 on adding class directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:) I'm fine with class as a name, but I would have made it a qualified name like Foo.bar
as you described. @felixbarny what was the reason behind excluding the class name? Is it useful to search on them independently?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see a reason why the class name should be included log.origin.function
, am I missing something?
We can definitely have an additional field for the class (log.origin.class
) which contains the fully qualified class name like org.elasticsearch.bootstrap.Bootstrap
. But we currently don't have that field in the APM schema where we have module instead, which would translate to a Java package.
I'd like to defer these potentially controversial discussions and get the lowest common denominator in which, I think, is log.origin.file.name
, log.origin.file.line
and log.origin.function
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the description it mentions, it can be a function or method. So if it is a method, would it be wrong to put here Bootstrap.foo
? What I'm getting at, it would be nice if the shortcut to this discussion is that both options are fine. Note: I left out the package name on purpose, was not even thinking of it before @felixbarny brought up the example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would seem a bit weird to me as the method name is foo, not Bootstrap.foo. https://docs.oracle.com/javase/7/docs/api/java/lang/StackTraceElement.html#getMethodName() would also just return the method name.
What would be the benefit of concatenating the simple class name and the method name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@felixbarny I'm not too fussed if this is deferred. I don't like to sound like a broken record, but the use case I have in mind is once again profiling, and I was hoping we could find a common definition of fields.
I'd say the benefit of having them combined is having a simple display name, so that UIs don't need to know how to recombine the class and method name. e.g. it's "Class::Method" in C++.
schemas/log.yml
Outdated
@@ -43,3 +43,28 @@ | |||
short: Name of the logger. | |||
description: > | |||
The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | |||
|
|||
- name: origin.file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's reuse the file
object here: https://github.com/elastic/ecs/blob/master/schemas/file.yml#L15
So this becomes log.origin.file.path
I guess?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call! It would be log.origin.file.name
though. Should we then also do log.origin.file.line
instead of log.origin.line
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make sense I guess. I wonder if we "must" extend file
for this or we just use it here? I'm good with just adding it here but I'm sure at @webmat will have an opinion on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with directly adding 2-3 specific fields for now 👍
We're going for something like this for package.*
as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: Using the file.*
object here would require a change to ECS, since it is not currently defined as a reusable (nestable) object. I'm not saying this is wrong, as the idea has come up before to capture events like file-copy events, but we should consider this as we work through this PR, addressing where else file.*
could be nested. For now, I would suggest we don't re-use the file.*
object here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not using the full file
object here but re-uses the same structure. Coming up with slightly different names just not to re-use the file
object structure doesn't feel quite right. But I think I don't quite understand what you have in mind here. Which names would you suggest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
depends on elastic/ecs#563 closes #3
@felixbarny @axw Suggestion for getting this PR in quickly: Remove |
@ruflin @felixbarny after further consideration, I'm personally happy for this to go in as-is. What I have in mind is still a bit future-looking, and could just as easily be implemented as a different field, such as "displayname". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM to also merge as is. @felixbarny really sorry, spotted the core / extended part just now. Can you change and then we get it in? There is also a merge conflict ..
depends on elastic/ecs#563 closes elastic#3
depends on elastic/ecs#563 closes #3
Sorry for not responding to that PR last week, when this was happening. I'm not 100% sold on the addition of I'm not saying we need to move this into |
Likewise, sorry for the late response. I have concerns similar to what @webmat has raised. To help with ECS spec consistency and to avoid ECS user confusion, we've been providing high-level guidance for the understanding of certain fields and field sets (e.g., #516 (comment), #290 (comment)) as follows:
I am not sure I fully understand the proposed use of |
Sounds like It captures in which source file (incl. name of the function and line number) the log event was created. For example: Line 27 in c6e5685
|
Filebeat currently populates We're now introducing I think creating a code-specific field set would add a lot of semantic meaning to these events. What about this? code.file.name: generator.py
code.file.line: 27
code.function: main The |
That would be a misuse of I'm generally fine with Let's include @mw-ding and @zfy0701 from the code team to this discussion who are working on APM/Code integration. |
Thanks @felixbarny for cc. It's great to know that we can have the origin of the logs. This will definitely enable some use cases for Code integrations. Questions. This change is for elastic common schema, so when will this be available in the actually data? Also, even with this schema, the data is not guaranteed to have them, right? Any ideas on the coverage? |
Also +1 to continue with |
This data should always be considered optional. It's basically just a recommendation for people to use these fields. Additionally, I have created https://github.com/elastic/java-ecs-logging which is a plugin for the most commonly used Java loggers which format log events to an ECS compatible structure. By default, they don't include the |
based on discussions in elastic#563
based on discussions in #563
@mw-ding The coverage will be dependent on adding support in the sources of these events, so it will come over time. You should sync up with folks implementing the sources you have in mind to get their take on implementing this -- I assume it's mostly APM clients? But in short, your solutions needs to support this being present or absent. These fields being in ECS also means that users will be able to populate these fields in their custom events as well. This means more opportunities for the Code app to hook up with arbitrary sources for integration :-) |
So the consensus is to use Seems like an unnecessary pain, since this is still new and unpublished (master is just a dev branch). |
I think I will be happy with |
Yes, this is new and super helpful for Code. Will keep this in mind for future integrations. @felixbarny @webmat |
@felixbarny @ruflin I've been finishing up the work on #540 -- meant to clarify the purpose of As you can see from #540 (comment), I've come around: I agree with I think I was conflating the |
I have a follow-up question if I may ask: Is it the correct approach to concatenate full namespace with method name for namespace MyCompany.TestWebApp
{
public class AccountsController
{
public List<Account> GetAccounts()
{
logger.Info("Accounts have been retrieved successfully.");
// Do other things.
// ...
}
}
} What is the correct approach?
|
Here's what I would recommend:
|
Thank you @felixbarny, that explanation is very useful for me. One more question about |
That would be just the name. Do you need to store the full path? A good place for that would be Another potentially useful addition would be Not sure if that's possible in .NET but in Java, the logger name ( |
In .NET side, log4net provides full location information in a single field, hence my question was based on that actually. We have just started our implementation, so I haven't got any solid argument for usefulness of storing file path right now. log4net is the counterpart of log4j in .NET world, and you can set logger name other than the class name as you suspected. |
Could you link at the docs for which properties are available for the location information? |
Here is the related doc page: log4net LocationInfo (Not so informative unfortunately.) And here are some actual example values for it in my application:
|
No description provided.