search

Financial-Times / splunk-heroku

Support for Heroku log drains packaged as a Splunk app.
https://tech.in.ft.com/tech-topics/logging/splunk/logging-from-heroku
MIT License
2 stars 0 forks source link

Extract the `status` router field explicitly #63

Closed sjparkinson closed 2 years ago

sjparkinson commented 2 years ago

When Splunk automatically extracts fields for a request such as:

2022-10-13T16:03:35.462875+00:00 heroku router - at=info method=GET path="/wp-admin/admin.php?page=download_report&report=users&status=all" host=.herokuapp.com request_id=f752fa8cd050cfd13d624b24c121a26c33cdeb62ccbe028ff0266c89ce346e85 fwd="10.0.0.0" dyno=web.4 connect=0ms service=2ms status=404 bytes=440 protocol=http

It currently extracts the path field, and also page, report and status as fields out of the value. For status this is unexpected as there's another field later on in the message that's more important for us to extract.

Being explicit about extracting the status field resolves the problem.

Tested locally, this will still have other fields extracted out of the value of the path field, but not status and any others that we're explicit about.