All Products
Search

This Product

    Simple Log Service:Overview of Logtail plug-ins for data processing

    Document Center

    Simple Log Service:Overview of Logtail plug-ins for data processing

    Last Updated:Sep 28, 2024

    Logtail provides plug-ins for data processing to parse raw logs into structured data.

    Background information

    Logtail plug-ins for data processing are classified into native plug-ins and extended plug-ins.

    • Native plug-ins provide high performance and are suitable for most business scenarios. We recommend that you use native plug-ins.

    • Extended plug-ins provide more features. If you cannot process complex business logs by using native plug-ins, you can use extended plug-ins to parse the logs. However, system performance may be compromised in this case.

    Limits

    • Limits on performance

      • If you use extended plug-ins to process logs, Logtail consumes more resources. Most of the resources are CPU resources. You can modify the Logtail parameter settings based on your business requirements. For more information, see Configure the startup parameters of Logtail.

      • If raw logs are generated at a speed that exceeds 5 MB/s, we recommend that you do not use complicated combinations of plug-ins to process logs. You can use extended plug-ins to preliminarily process logs and then use the data transformation feature to further process the logs.

    • Limits on log collection

      • Extended plug-ins use the line mode to process text logs. In this mode, the metadata of files such as __tag__:__path__ and __topic__ is recorded in each log.

      • If you add extended plug-ins to process logs, the following limits apply to tag-related features:

        • The contextual query and LiveTail features are unavailable. If you want to use the features, you must add the aggregators configuration.

        • The __topic__ field is renamed __log_topic__. After you add the aggregators configuration, logs contain the __topic__ and __log_topic__ fields. If you do not require the __log_topic__ field, you can use the processor_drop plug-in to delete the field.

        • For tag fields such as __tag__:__path__, the original field indexes no longer take effect. You must reconfigure indexes for the fields. For more information, see Create indexes.

    • Limits on plug-in combinations

      • For plug-ins of Logtail earlier than V2.0 (excluding V2.0):

        • You cannot add native plug-ins and extended plug-ins at the same time.

        • You can use native plug-ins only to collect text logs. When you add native plug-ins, take note of the following items:

          • You must add one of the following Logtail plug-ins for data processing as the first plug-in: Data Parsing (Regex Mode), Data Parsing (Delimiter Mode), Data Parsing (JSON Mode), Data Parsing (NGINX Mode), Data Parsing (Apache Mode), and Data Parsing (IIS Mode).

          • After you add the first plug-in, you can add one Time Parsing plug-in, one Data Filtering plug-in, and multiple Data Masking plug-ins.

    • For plug-ins of Logtail V2.0: You can add extended plug-ins only after you add native plug-ins.

    • Limits on native plug-in-related parameter combinations

      For native plug-ins of Logtail earlier than V2.0, we recommend that you use only the following parameter combinations. The plug-ins refer to Data Parsing (Regex Mode), Data Parsing (JSON Mode), Data Parsing (Delimiter Mode), Data Parsing (NGINX Mode), Data Parsing (Apache Mode), and Data Parsing (IIS Mode). For other parameter combinations, Simple Log Service does not ensure configuration effects.

      • Upload logs that are parsed.

        image

      • Upload logs that are obtained after parsing if the parsing is successful, and upload raw logs if the parsing fails.

        image

      • Upload logs that are obtained after parsing and add a raw log field to the logs if the parsing is successful, and upload raw logs if the parsing fails.

        For example, if a raw log is "content": "{"request_method":"GET", "request_time":"200"}" and the raw log is successfully parsed, the system adds a raw log field to the log that is obtained after parsing. The raw log field is specified by the New Name of Original Field parameter. If you do not configure the parameter, the original field name is used. The field value is {"request_method":"GET", "request_time":"200"}.

        image

    Add plug-ins

    Add plug-ins when you modify a Logtail configuration

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the project that you want to manage.

      image

    3. Choose Log Storage > Logstores. Click > of the required Logstore. Then, choose Data Collection > Logtail Configurations.

      image

    4. In the Logtail Configuration list, find the required Logtail configuration and click Manage Logtail Configuration in the Actions column.

    5. Click Edit in the upper-left corner of the page. In the Processor Configurations section, add Logtail plug-ins and click Save.

    Add plug-ins when you create a Logtail configuration

    1. Log on to the Simple Log Service console.

    2. On the right side of the page that appears, click the Quick Data Import card.

      image

    3. In the Import Data dialog box, click a card, follow the instructions to configure parameters in the wizard, and then add Logtail plug-ins in the Logtail Configuration step of the wizard. For more information, see Collect text logs from servers.

      Note

      The Logtail plug-in configuration that you add when you create a Logtail configuration works in the same manner as the Logtail plug-in configuration that you add when you modify the Logtail configuration.

    Logtail plug-ins for data processing

    Native plug-ins

    Plug-in

    Description

    Data Parsing (Regex Mode)

    Extracts log fields based on a regular expression and parses logs into key-value pairs. For more information, see Parsing in regex mode.

    Data Parsing (JSON Mode)

    Parses JSON logs into key-value pairs. For more information, see Parsing in JSON mode.

    Data Parsing (Delimiter Mode)

    Structuralizes and parses logs into key-value pairs based on a delimiter. For more information, see Parsing in delimiter mode.

    Data Parsing (NGINX Mode)

    Structuralizes and parses NGINX logs into key-value pairs. For more information, see Parsing in NGINX mode.

    Data Parsing (Apache Mode)

    Structuralizes and parses Apache logs into key-value pairs. For more information, see Parsing in Apache mode.

    Data Parsing (IIS Mode)

    Structuralizes and parses IIS logs into key-value pairs. For more information, see Parsing in IIS mode.

    Time Parsing

    Parses log time. For more information, see Time parsing.

    Data Filtering

    Filters logs. For more information, see Data filtering.

    Data Masking

    Masks the sensitive content of logs. For more information, see Data masking.

    Extended plug-ins

    Operation

    Description

    Extract fields

    Extracts fields by using a regular expression. For more information, see Regex mode.

    Extracts fields by anchoring start and stop keywords. For more information, see Anchor mode.

    Extracts fields in CSV mode. For more information, see CSV mode.

    Extracts fields by using a single-character delimiter. For more information, see Single-character delimiter mode.

    Extracts fields by using a multi-character delimiter. For more information, see Multi-character delimiter mode.

    Extracts fields by splitting key-value pairs. For more information, see Key-value pair mode.

    Extracts fields by using Grok expressions. For more information, see Grok mode.

    Add fields

    Adds fields. For more information, see Add fields.

    Drop fields

    Drops fields. For more information, see Drop fields.

    Rename fields

    Renames fields. For more information, see Rename fields.

    Encapsulate fields

    Encapsulates one or more fields into a JSON object-formatted field. For more information, see Encapsulate fields.

    Expand JSON fields

    Expands JSON fields. For more information, see Expand JSON fields.

    Filter logs

    Uses regular expressions to match the values of log fields and filter logs. For more information, see processor_filter_regex.

    Uses regular expressions to match the names of log fields and filter logs. For more information, see processor_filter_key_regex.

    Extract log time

    Parses the time field in raw logs and specifies the parsing result as the log time. For more information, see Time format supported by Go.

    Convert IP addresses

    Converts IP addresses in logs to geographical locations. A geographical location includes the following information: country, province, city, longitude, and latitude. For more information, see Convert IP addresses.

    Mask sensitive data

    Replaces sensitive data in logs with specified strings or MD5 hash values. For more information, see Mask sensitive data.

    Map field values

    Maps field values. For more information, see Map field values.

    Encrypt fields

    Encrypts specific fields. For more information, see Encrypt fields.

    Encode and decode data

    Decodes field values. For more information, see Base64 decoding.

    Encodes field values. For more information, see Base64 encoding.

    Encodes data by using the MD5 algorithm. For more information, see MD5 encoding.

    Convert logs to metrics

    Converts collected logs to SLS metrics. For more information, see Convert logs to Simple Log Service metrics.

    Convert logs to traces

    Converts collected logs to SLS traces. For more information, see Convert logs to Simple Log Service traces.