# Examples Examples of log patterns identified and optimized by Nimbus. ### Logs with common message patterns These are high volume log events that repeat most of their content. For most applications most of the time, this will be the primary driver of log volume. Examples include health checks and heart beat notifications. {% tabs %} {% tab title="Before" %} ```json [ { "ddsource": "nodejs", "host": "itemrefresh-0", "message": "refresh item catalogue for itemId: ITEM470", "path": "/", "service": "itemrefresh", "status": "info", "timestamp": "2023-11-23T00:16:09.970Z" }, { "ddsource": "nodejs", "host": "itemrefresh-0", "message": "refresh item catalogue for itemId: ITEM8185", "path": "/", "service": "itemrefresh", "status": "info", "timestamp": "2023-11-23T00:16:09.997Z" }, { "ddsource": "nodejs", "host": "itemrefresh-0", "message": "refresh item catalogue for itemId: ITEM7594", "path": "/", "service": "itemrefresh", "status": "info", "timestamp": "2023-11-23T00:16:10.010Z" }, // 37 more messages ... ] ``` {% endtab %} {% tab title="After" %} * 97.5% event volume reduction * 79% ingest volume reduction ```json { "ddsource": "nodejs", "host": "itemrefresh-0", "path": "/", "service": "itemrefresh", "status": "info", "message": [ "refresh item catalogue for itemId: ITEM470", "refresh item catalogue for itemId: ITEM8185", "refresh item catalogue for itemId: ITEM7594", // 37 more messages ... ], "nimsize": 40, "timestamp": "2023-11-23T00:16:09.970Z", "timestamp_end": "2023-11-23T00:16:11.322Z" } ``` {% endtab %} {% tab title="Transform" %} ```yml - name: itemrefresh type: reduce rules: process_when: - key: service op: EQUAL val: itemrefresh group_by: - host - path pull_up: - ddsource - path - status - service msg_field: message ``` {% endtab %} {% endtabs %} ### Logs with common identifiers These are logs that describe a sequence of related events. These sequences usually have some sort of common identifier like a `transactionId` or a `jobId`. Examples include a background job and business specific user flows. {% tabs %} {% tab title="Before" %} ```json [ { "ddsource": "nodejs", "host": "checkout-0", "message": { "customerId": "CU26940939", "itemId": "ITEM1417", "itemName": "Product 7", "itemPrice": 2.612748019396105, "msg": "adding ITEM9798 to cart", "quantity": 2, "transactionId": "TX79924095" }, "service": "checkout", "status": "info", "timestamp": "2024-04-26T15:45:14.000000138Z" }, { "ddsource": "nodejs", "host": "checkout-0", "message": { "customerId": "CU26940939", "discountAmount": 13.837782236831986, "msg": "applying discount DISC16", "transactionId": "TX79924095" }, "service": "checkout", "status": "info", "timestamp": "2024-04-26T15:45:14.000000831Z" }, { "ddsource": "nodejs", "host": "checkout-0", "message": { "customerId": "CU26940939", "estimatedDelivery": "2023-11-24", "msg": "calculating shipping info for ITEM9798", "shippingAddress": "902 Main St, Anytown, AN 68387", "shippingMethod": "Standard", "transactionId": "TX79924095" }, "service": "checkout", "status": "info", "timestamp": "2024-04-26T15:45:15.000000523Z" }, { "ddsource": "nodejs", "host": "checkout-0", "message": { "customerId": "CU26940939", "msg": "payment for ITEM9798 succeeded", "paymentMethod": "PayPal", "totalAmount": 56.645267111988474, "transactionId": "TX79924095" }, "service": "checkout", "status": "info", "timestamp": "2024-04-26T15:45:16.000000214Z" } ] ``` {% endtab %} {% tab title="After" %} * 75% reduction in event volume * 4% reduction in ingest volume ```json { "customerId": "CU26940939", "ddsource": "nodejs", "host": "checkout-0", "message": [ "adding ITEM9798 to cart", "applying discount DISC16", "calculating shipping info for ITEM9798", "payment for ITEM9798 succeeded", ], "nimdata": [ { "message": { "itemId": "ITEM1417", "itemName": "Product 7", "itemPrice": 2.612748019396105, "msg": "adding ITEM9798 to cart", "quantity": 2 }, "timestamp": "2024-04-26T15:45:14.000000138Z" }, { "message": { "discountAmount": 13.837782236831986, "msg": "applying discount DISC16" }, "timestamp": "2024-04-26T15:45:14.000000831Z" }, { "message": { "estimatedDelivery": "2023-11-24", "msg": "calculating shipping info for ITEM9798", "shippingAddress": "902 Main St, Anytown, AN 68387", "shippingMethod": "Standard" }, "timestamp": "2024-04-26T15:45:15.000000523Z" }, { "message": { "msg": "payment for ITEM9798 succeeded", "paymentMethod": "PayPal", "totalAmount": 56.645267111988474 }, "timestamp": "2024-04-26T15:45:16.000000214Z" } ], "service": "checkout", "status": "info", "timestamp": "2024-04-26T15:45:14.000000138Z", "timestamp_end": "2024-04-26T15:45:16.000000905Z", "transactionId": "TX79924095" } ``` {% endtab %} {% tab title="Transform" %} ```yaml - name: checkout type: reduce rules: # process when service is exactly equal to "checkout" process_when: - key: service op: EQUAL val: checkout # make sure these fields are still available at the "top level" instead of being nested pull_up: - message.transactionId - message.customerId # group all logs by the following top level keys group_by: - customerId - transactionId # specify the message field, the highlighted body of the log msg_field: message.msg # remove unecessary timestamp fields remove: - timestamp - message.timestamp # details how custom top level keys will be merged merge_strategies: transactionId: discard customerId: discard ``` {% endtab %} {% endtabs %} ### Multi-Line Logs Many times, an application will emit a single log across multiple lines such as the case with a JSON log. Unless you specifically account for this, most logging agents will consume each newline as a separate log event. Nimbus can identify when this happens and stitch these logs back together. {% tabs %} {% tab title="Before" %} ```json [ { "ddsource": "nimbus", "host": "some-host", "message": "{", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.108Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"id\": \"2460\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.134Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"method\": \"GET\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.147Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"url\": \"/health\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.160Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"query\": {},", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.174Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"params\": {},", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.187Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"headers\": {", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.199Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"host\": \"100.119.27.217:8080\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.210Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"user-agent\": \"kube-probe/1.18\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.221Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"accept-encoding\": \"gzip\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.233Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"connection\": \"close\"", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.245Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " },", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.256Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"remoteAddress\": \"::ffff:172.20.65.189\",", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.269Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"remotePort\": 60444", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.280Z" }, { "ddsource": "nimbus", "host": "some-host", "message": "}", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.292Z" }, { "ddsource": "nimbus", "host": "some-host", "message": "{", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.304Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"statusCode\": 200,", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.316Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"headers\": {", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.327Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " \"x-powered-by\": \"Express\"", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.338Z" }, { "ddsource": "nimbus", "host": "some-host", "message": " }", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.350Z" }, { "ddsource": "nimbus", "host": "some-host", "message": "}", "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.361Z" } ] ``` {% endtab %} {% tab title="After" %} * 90% in event volume reduction * 87% in ingest volume reduction ```json { "ddsource": "nimbus", "host": "some-host", "message": "{ \"id\": \"2460\", \"method\": \"GET\", \"url\": \"/health\", \"query\": {}, \"params\": {}, \"headers\": { \"host\": \"100.119.27.217:8080\", \"user-agent\": \"kube-probe/1.18\", \"accept-encoding\": \"gzip\", \"connection\": \"close\" }, \"remoteAddress\": \"::ffff:172.20.65.189\", \"remotePort\": 60444}{ \"statusCode\": 200, \"headers\": { \"x-powered-by\": \"Express\" }}", "nimkind": "opt", "nimmatch": "healthcheck", "nimsize": 21, "path": "/", "service": "healthcheck", "source_type": "http_server", "status": "info", "timestamp": "2023-11-23T00:05:58.108Z" } ``` {% endtab %} {% tab title="Transform" %} ```yaml - name: healthcheck type: reduce rules: process_when: - key: service op: EQUAL val: healthcheck group_by: - host msg_field: message starts_when: - key: message op: MATCH val: \n\{ merge_strategies: msg_source: concat_newline ``` {% endtab %} {% endtabs %}