Ensure the correct mapping of your severity key 🔗
The Log Observer Connect timeline displays a histogram of logged events over time, grouped by values of the message field severity. The severity key is a field that all logs contain. It has the values debug, error, info, unknown, and warning. Your logs might use a different field name for the severity key.
If your logs call the severity key or its values by different names, that’s okay. Ensure that Log Observer Connect can read your field and value names. Log Observer Connect assigns unknown to all values that it does not recognize.
Note
The names of your severity key and its values are not case sensitive.
Your severity key can have any of the following names:
severity
level
otel.log.severity.text
The following table lists the values that Log Observer Connect recognizes for each severity name:
Severity field names |
Severity value names |
|---|---|
severity |
info, information
err, error
warn, warning
debug
critical
|
level |
info, information
err, error
warn, warning
|
otel.log.severity.text |
normal
warn, warning
|
If your severity key or values do not match any of the names in the previous table, do one of the following to turn them to names that Log Observer Connect recognizes:
Use a field extraction to transform your field name. See Extract fields from event data using Ingest Processor to learn how.
Add a severity alias to your field name. See Create field aliases to learn how.
When you create an alias for your severity key name, the original key name and its aliases continue to function for Log Observer queries. On the Log Observer timeline histogram, the severity key name and all its aliases are combined into one and represented as “severity”.