Allow for json message format to store in root level of log object

[mt54636]

It would be nice to have format options, so we can store json logs in the root level.

Instead of:

{
    "line": {
        "message": "app:start",
        "date": "2018-05-22 14:01:35",
        "file": "/opt/api/app/index.js",
        "line": 13,
        "severity": "info"
    },
    "source": "stdout",
    "tag": "docker_container_info"
}

We could instead have:

{
    "message": "app:start",
    "date": "2018-05-22 14:01:35",
    "file": "/opt/api/app/index.js",
    "line": 13,
    "severity": "info",
    "source": "stdout",
    "tag": "docker_container_info"
}

[sharonx]

@mtalebi May I know more about your use case with the proposed format (save message size? or something else)? There could be potential conflict on the keys with the attributes (source, tag, etc) in this way.

Note that you can configure it in splunk with props and transform too.

[dtregonning]

@mtalebi @sharonx - Closing due to inactivity.

[cruisehall]

This feature is especially important for enterprises, who cannot easily configure these server-side options per team, and often have multiple different log sources each with their own structure (e.g. fluentd on k8s ships the log message under an attribute named "log" instead of "line").

It is simpler to govern log format consistency upstream, i.e. before the log is emitted to stdout/err.

[thecouchcoder]

@dtregonning Could this issue be reopened? To my knowledge, Splunk doesn't support expanding nested JSON by default, so we'd need to manually click to expand each line field to view the message. Is there any workaround for this? As @cruisehall mentioned, those of us working within an enterprise do not always have the proper access to configure server-side transforms as suggested.