Advanced Source Configuration

For some Sources you can enrich your logs during the configuration of that source using the advanced section.

Since the log agent component of the agents are stanza based, that means we can use valid stanza pipeline syntax to transform/enrich the logs.

Example: Attaching Metadata

One use case for this is to attach useful metadata that can then be used in Explore to better navigate through the logs.

Let's say we want to apply user defined metadata like which cluster this agent or template is used in. We can achieve this by using the stanza metadata operator.

All that needs to be done to enrich logs coming from this source will be to fill in the following into the advanced section:

- type: metadata
  labels:
    cluster: "development"

And now for all the log entries that are coming from this source, they will now have this extra label:

If you end up seeing the label but cannot filter by it, you can try refreshing the indexes by navigating to the explore page and using stack management to refresh your indexes.

And after that you should be able to filter your logs by the user defined label: