* Rewrote description to highlight primary use case
* Added defaults for how much structured metadata can be added to log
lines
* Rewrote example queries
**What this PR does / why we need it**:
**Which issue(s) this PR fixes**:
Fixes #<issue number>
**Special notes for your reviewer**:
**Checklist**
- [ ] Reviewed the
[`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md)
guide (**required**)
- [ ] Documentation added
- [ ] Tests updated
- [ ] `CHANGELOG.md` updated
- [ ] If the change is worth mentioning in the release notes, add
`add-to-release-notes` label
- [ ] Changes that require user attention or interaction to upgrade are
documented in `docs/sources/setup/upgrade/_index.md`
- [ ] For Helm chart changes bump the Helm chart version in
`production/helm/loki/Chart.yaml` and update
`production/helm/loki/CHANGELOG.md` and
`production/helm/loki/README.md`. [Example
PR](d10549e3ec)
- [ ] If the change is deprecating or removing a configuration option,
update the `deprecated-config.yaml` and `deleted-config.yaml` files
respectively in the `tools/deprecated-config-checker` directory.
[Example
PR](0d4416a4b0)
@ -6,24 +6,22 @@ description: Describes how to enable structure metadata for logs and how to quer
# What is structured metadata
# What is structured metadata
{{% admonition type="warning" %}}
{{% admonition type="warning" %}}
Structured metadata is an experimental feature and is subject to change in future releases of Grafana Loki.
Structured metadata is an experimental feature and is subject to change in future releases of Grafana Loki. This feature is not yet available for Cloud Logs users.
{{% /admonition %}}
{{% /admonition %}}
{{% admonition type="warning" %}}
{{% admonition type="warning" %}}
Structured metadata was added to chunk format V4 which is used if the schema version is greater or equal to `13`. (See [Schema Config]({{< relref "../../storage#schema-config" >}}) for more details about schema versions. )
Structured metadata was added to chunk format V4 which is used if the schema version is greater or equal to `13`. (See [Schema Config]({{< relref "../../storage#schema-config" >}}) for more details about schema versions. )
{{% /admonition %}}
{{% /admonition %}}
One of the powerful features of Loki is parsing logs at query time to extract metadata and build labels out of it.
Selecting proper, low cardinality labels is critical to operating and querying Loki effectively. Some metadata, especially infrastructure related metadata, can be difficult to embed in log lines, and is too high cardinality to effectively store as indexed labels (and therefore reducing performance of the index).
However, the parsing of logs at query time comes with a cost which can be significantly high for, as an example,
large JSON blobs or a poorly written query using complex regex patterns.
In addition, the data extracted from logs at query time is usually high cardinality, which can’t be stored
Structured metadata is a way to attach metadata to logs without indexing them or including them in the log line content itself. Examples of useful metadata are
in the index as it would increase the cardinality too much, and therefore reduce the performance of the index.
kubernetes pod names, process ID's, or any other label that is often used in queries but has high cardinality and is expensive
Structured metadata is a way to attach metadata to logs without indexing them. Examples of useful metadata are
trace IDs, user IDs, and any other label that is often used in queries but has high cardinality and is expensive
to extract at query time.
to extract at query time.
Structured metadata can also be used to query commonly needed metadata from log lines without needing to apply a parser at query time. Large json blobs or a poorly written query using complex regex patterns, for example, come with a high performance cost. Examples of useful metadata include trace IDs or user IDs.
## Attaching structured metadata to log lines
## Attaching structured metadata to log lines
You have the option to attach structured metadata to log lines in the push payload along with each log line and the timestamp.
You have the option to attach structured metadata to log lines in the push payload along with each log line and the timestamp.
@ -34,25 +32,37 @@ See the [Promtail: Structured metadata stage]({{< relref "../../send-data/promta
With Loki version 1.2.0, support for structured metadata has been added to the Logstash output plugin. For more information, see [logstash]({{< relref "../../send-data/logstash/_index.md" >}}).
With Loki version 1.2.0, support for structured metadata has been added to the Logstash output plugin. For more information, see [logstash]({{< relref "../../send-data/logstash/_index.md" >}}).
{{% admonition type="warning" %}}
There are defaults for how much structured metadata can be attached per log line.
```
# Maximum size accepted for structured metadata per log line.
Structured metadata is extracted automatically for each returned log line and added to the labels returned for the query.
Structured metadata is extracted automatically for each returned log line and added to the labels returned for the query.
You can use labels of structured metadata to filter log line using a [label filter expression]({{< relref "../../query/log_queries#label-filter-expression" >}}).
You can use labels of structured metadata to filter log line using a [label filter expression]({{< relref "../../query/log_queries#label-filter-expression" >}}).
For example, if you have a label `trace_id` attached to some of your log lines as structured metadata, you can filter log lines using:
For example, if you have a label `pod` attached to some of your log lines as structured metadata, you can filter log lines using:
```logql
```logql
{job="example"} | trace_id="0242ac120002"
{job="example"} | pod="myservice-abc1234-56789"`
```
```
Of course, you can filter by multiple labels of structured metadata at the same time:
Of course, you can filter by multiple labels of structured metadata at the same time:
Note that since structured metadata is extracted automatically to the results labels, some metric queries might return
Note that since structured metadata is extracted automatically to the results labels, some metric queries might return an error like `maximum of series (50000) reached for a single query`. You can use the [Keep]({{< relref "../../query/log_queries#keep-labels-expression" >}}) and [Drop]({{< relref "../../query/log_queries#drop-labels-expression" >}}) stages to filter out labels that you don't need.
an error like `maximum of series (50000) reached for a single query`. You can use the [Keep]({{< relref "../../query/log_queries#keep-labels-expression" >}}) and [Drop]({{< relref "../../query/log_queries#drop-labels-expression" >}}) stages to filter out labels that you don't need.
Steven Dungan
1 year ago
committed by