Terminology

Agent

Logs are shipped to observIQ via the observIQ high-performance log agent. Agents are installed on the host where your logs live. Agent installation commands are generated from the Fleet > Installation page.

Source

A pre-made parsing and enrichment pipeline tailored to the technology you're looking to gather logs from. Example Sources in observIQ Cloud are MySQL, Apache Tomcat and Windows Event Log. Sources are deployed to Log Agents from the observIQ UI. observIQ supports over 40 different Sources out of the box. A full list of supported Sources can be found here: Log Sources

Template

Allows you to deploy the same Source(s) to multiple Agents from a single place in the UI. Templates are required for gathering logs from Kubernetes, but are optional for gathering logs Linux, Mac, and Windows environments. As Template is generally recommended if you intend to gather logs from 5 or more hosts.

Kibana

Kibana is a popular open-source tool for visualizing your indexed log data. A customized version of Kibana is integrated into the observIQ Explore page.

Index

Roughly, the database where your logs are stored. Each observIQ account has 1 index associated with it. Customers don't need to manage their index when using observIQ - that's all managed for you.

Document

In Elasticsearch, a Document is a unit of search and index. All of your logs will be classified as documents - you'll occasionally see references to documents in the UI, when referring to your log data.

Field Mapping

In Elasticsearch, every indexed field is assigned a data type (integer, float, keyword, text, string). For most observIQ Sources data types are statically mapped for most fields but are dynamically mapped for others. You can see mappings for your fields in your account on the Stack Management > Index Patterns > [Index Name] > Index Patterns section of the Explore page

Operator

An operator is the most basic unit of log processing in observIQ. Each operator fulfills only a single responsibility, such as reading lines from a file, parsing JSON from a field, or applying useful metadata like labels to your logs. These operators are then chained together to create a pipeline.

Pipeline

A series of operators that are chained together; the underlying structure of a Source. More information about Operators can be found on the github page for observIQ's open source log agent. By default, Operators are not exposed in the UI, but are exposed when customizing a Source.