Why do my logs show up with an Info status even for Warnings or Errors?
Dash が新機能を発表!インシデントマネジメント、Continuous Profiler など多数の機能が追加されました! Dash イベントで発表された新機能!

Why do my logs show up with an Info status even for Warnings or Errors?

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

By default, Datadog generates a status (Info) and appends it in the status attribute when logs are received on Datadog’s intake API. However, this default status does not always reflect the actual value that might be contained in the log itself; this article describes how to override this default value.

Raw logs

Extract the status value with a parser

While writing a parsing rule for your logs, extract the status in a specific attribute.

For the log above, use the following rule with the word() matcher to extract the status and pass it into a custom log_status attribute:

Define a Log Status Remapper

The value is now stored in a log_status attribute. Add a Log Status remapper to make sure the official log status is overridden with the value in the log_status attribute.

All new logs processed by this Pipeline should now have the correct status.

Note: Any modification on a Pipeline only impacts new logs as all the processing is done during the intake process.

JSON logs

JSON logs are automatically parsed in Datadog. The log status attribute is one of the reserved attributes in Datadog which means JSON logs that use those attributes have their values treated specially - in this case to derive the log’s status. Change the default remapping for those attributes at the top of your Pipeline as explained in the edit reserved attributes documentation. So let’s imagine that the actual status of the log is contained in the attribute logger_severity.

To make sure this attribute value is taken to override the log status, add it in the list of Status attributes.

The status remapper looks for each of the reserved attributes in the order in which they are configured in the reserved attribute mapping, so to be 100% sure that our logger_severity attribute is used to derive the status, place it first in the list.

Note: Any modification on the Pipeline only impacts new logs as all the processing is done at ingestion.

There are specific status formats that must be adhered to for the remapping to work. The recognized status formats are explained in the status remapper description. In this specific case, by adding some host and service remapping new logs are correctly configured: