README ¶
json-logs
This repository contains a tool, jlog
, to pretty-print JSON logs, like those from zap or logrus.
Here's what it looks like in action (on some logs from an opinionated-server server).
The main goal is to never hide any information in the underlying logs, even if a particular line
doesn't parse. Unparsable lines or lines with missing information will be echoed verbatim, and at
the very end, a count is produced summarizing lines that parsed, lines that didn't parse, and lines
that were filtered out with a user expression (-e
). That way, you know you're seeing everything,
even when an annoying library writes plain text to your JSON logs. These guarantees are tested with
fuzz tests and live integration tests against common logging libraries.
Installation
Grab a binary from the releases area, chmod a+x
it, and move it to somewhere in your $PATH. Or you
can go install github.com/jrockway/json-logs/cmd/jlog@latest
.
If you use homebrew; brew tap jrockway/tap; brew install jrockway/tap/jlog
. (This works on OS X
and Linux, and supports Arm64 and AMD64.)
Use
Pipe it some json-formatted logs:
$ jlog < log
$ kubectl logs some-pod | jlog
# etc.
The format is automatically guessed, and timestamps will appear in your local time zone.
Here's the --help
message:
jlog [OPTIONS]
Input Schema:
-l, --lax If true, suppress any validation errors including non-JSON log lines and missing timestamps,
levels, and message. We extract as many of those as we can, but if something is missing, the
errors will be silently discarded. [$JLOG_LAX]
--levelkey= JSON key that holds the log level. [$JLOG_LEVEL_KEY]
--nolevelkey If set, don't look for a log level, and don't display levels. [$JLOG_NO_LEVEL_KEY]
--timekey= JSON key that holds the log timestamp. [$JLOG_TIMESTAMP_KEY]
--notimekey If set, don't look for a time, and don't display times. [$JLOG_NO_TIMESTAMP_KEY]
--messagekey= JSON key that holds the log message. [$JLOG_MESSAGE_KEY]
--nomessagekey If set, don't look for a message, and don't display messages (time/level + fields only).
[$JLOG_NO_MESSAGE_KEY]
--delete= JSON keys to be deleted before JQ processing and output; repeatable. [$JLOG_DELETE_KEYS]
--upgrade= JSON key (of type object) whose fields should be merged with any other fields; good for
loggers that always put structed data in a separate key; repeatable.
--upgrade b would transform as follows: {a:'a', b:{'c':'c'}} -> {a:'a', c:'c'}
[$JLOG_UPGRADE_KEYS]
Output Format:
--no-elide Disable eliding repeated fields. By default, fields that have the same value as the line
above them have their values replaced with '↑'. [$JLOG_NO_ELIDE_DUPLICATES]
-r, --relative Print timestamps as a duration since the program started instead of absolute timestamps.
[$JLOG_RELATIVE_TIMESTAMPS]
-t, --time-format= A go time.Format string describing how to format timestamps, or one of
'rfc3339(milli|micro|nano)', 'unix', 'stamp(milli|micro|nano)', or 'kitchen'. (default:
stamp) [$JLOG_TIME_FORMAT]
-s, --only-subseconds Display only the fractional part of times that are in the same second as the last log line.
Only works with the (milli|micro|nano) formats above. (This can be revisited, but it's
complicated.) [$JLOG_ONLY_SUBSECONDS]
--no-summary Suppress printing the summary at the end. [$JLOG_NO_SUMMARY]
-p, --priority= A list of fields to show first; repeatable. [$JLOG_PRIORITY_FIELDS]
-H, --highlight= A list of fields to visually distinguish; repeatable. (default: err, error, warn, warning)
[$JLOG_HIGHLIGHT_FIELDS]
-A, --after-context= Print this many filtered lines after a non-filtered line (like grep). (default: 0)
-B, --before-context= Print this many filtered lines before a non-filtered line (like grep). (default: 0)
-C, --context= Print this many context lines around each match (like grep). (default: 0)
General:
-g, --regex= A regular expression that removes lines from the output that don't match, like grep.
-G, --no-regex= A regular expression that removes lines from the output that DO match, like 'grep -v'.
-S, --regex-scope= Where to apply the provided regex; (m)essage, (k)eys, or (v)alues. 'kmv' looks in all scopes,
'k' only searches keys, etc. (default: kmv)
-e, --jq= A jq program to run on each record in the processed input; use this to ignore certain lines,
add fields, etc. Hint: 'select(condition)' will remove lines that don't match 'condition'.
--jq-search-path= A list of directories in which to search for JQ modules. A path entry named (not merely
ending in) .jq is automatically loaded. When set through the environment, use ':' as the
delimiter (like $PATH). (default: ~/.jq, ~/.jlog/jq/.jq, ~/.jlog/jq) [$JLOG_JQ_SEARCH_PATH]
-M, --no-color Disable the use of color. [$JLOG_FORCE_MONOCHROME]
-c, --no-monochrome Force the use of color. [$JLOG_FORCE_COLOR]
--profile= If set, collect a CPU profile and write it to this file.
-v, --version Print version information and exit.
Help Options:
-h, --help Show this help message
All options can be set as environment variables; if there's something you use every time you invoke it, just set it up in your shell's init file.
Input
--levelkey
, --timekey
, and --messagekey
will allow jlog to handle log formats it's not yet
taught to recognize. If your JSON log uses foo
as the level, bar
as the time, and baz
as the
message, like: {"foo":"info", "bar":"2022-01-01T00:00:00.123", "baz":"information!"}
, then
jlog --levelkey=foo --timekey=bar --messagekey=baz
will allow jlog to properly format those logs.
Some logs don't have a level or a message (or a time?); use --nolevelkey
, --nomessagekey
, or
--notimekey
to allow parsing such logs in stict mode. The output will also be adjusted to not
print fields that aren't in the input log.
There is some logic to guess the log format based on the first line. If this yields incorrect
results, file a bug, but setting any of --levelkey
, --timekey
, or --messagekey
will completely
disable auto-guessing.
Some loggers put all structured data into one key; you can merge that key's values into the main set
of fields with --upgrade <key>
. This makes eliding of repeated fields work for that log format.
Logs that look like they were produced by a known library that does this are automatically upgraded.
Some loggers output schema format information with each log message. You can delete keys like this
with --delete <key>
. Logs that look that look like they were produced by a known library that does
this automatically have that key deleted. (You can do this with del(.key)
in a JQ program, as
well.)
Output
There are many options to control the output format. You can output timestamps in your favorite
format with -t XXX
, where XXX is one of the options listed above or any
go time format string.
If you want to distinguish events that happened in the same second as the previous line, use -s
.
It will turn output like:
2022-01-01T00:00:00.000 DEBUG this is a debug message
2022-01-01T00:00:00.123 DEBUG this is another debug message
2022-01-01T00:00:01.000 DEBUG this is the last debug message
Into:
2022-01-01T00:00:00.000 DEBUG this is a debug message
.123 DEBUG this is another debug message
2022-01-01T00:00:01.000 DEBUG this is the last debug message
This can sometimes make spammy logs a little easier on the eyes.
You can pass -r
to see the time difference between when the program started and the log line. This
is good if you don't want to do any mental math.
You can adjust the output timezone with the TZ
environment variable. TZ=America/Los_Angeles jlog
will print times in Pacific, for example.
-p
Will ensure that if a named field is present, it will appear immediately after the message.
-H
Will highlight the named field in a different color. -H error
is nice for locating errors at
a glance.
Filtering
By default, we print every line in the input log. You can remove lines from the output with JQ or regex filters.
When filtering, you can show nearby lines that were filtered out; after context -A
, before context
-B
, and context -C
are supported, just like grep. Non-contiguous context regions are separated
with "---".
All fancy string processing (subsecond timestamps, field eliding, etc.) works correctly in the presence of filtering and context.
jq
You can pass a jq program to process the input. Something like
jlog -e 'select($LVL>$INFO)'
will only show logs with a level greater than info. Something like
jlog -e 'select($MSG | test("foo"))'
will only show messages that contain "foo" (even if a field
contains foo). You can of course access any field in the parsed JSON log line and make selection
decisions on that, or delete fields, or add new fields.
The JQ program is run after schema detection and validation.
--jq-search-path
lets you set up a list of locations to search for jq modules. Items with the
filename .jq
(not ending in .jq
, literally that exact name) are automatically imported. The
default value reads ~/.jq
(which jq
itself also reads), ~/.jlog/.jq
, and can load modules
(with include
or import
) from ~/.jlog/jq/*
.
I put common jq
snippets in ~/.jq
to save myself some typing; adding
def nh: select(.method != "grpc.health.v1.Health.Check ");
to that file then lets you run
jlog -e nh
and see the logs with messages about health checks filtered out. (I also have
def flat: [leaf_paths as $path | {"key": $path | join("."), "value": getpath($path)}] | from_entries;
which will explode nested objects into their own keys, allowing features like --elide
to work on
nested objects where some fields change between lines.)
Regular expressions
You can pass -g <regex>
to only show lines that match the provided regex. -G
does the opposite,
filtering out lines that match the regex (like grep -v
).
If provided, the JQ program is run regardless of the outcome of regex filtering, and can still filter the line out. (It can't add back a filtered line, though.)
Any captures in the regex match become fields in the output (and for JQ to inspect). By default,
they are named $1
, $2
, etc. but you can choose your own name with the
(?P<name>regex goes here)
syntax.
By default, regexes are run on the parsed message, field keys, and JSON-marshaled field values. You
can customize this by passing -S
or --regex-scope
. A value of kv
would only match keys and
values, for example. Matching is stopped as soon as match is found; use a jq
program if you want
to find all matches and analyze them.
Highlighting
The built-in jq function highlight
will caused matched messages to display in inverse-video
jlog -e 'highlight(.foo == 42)'
would highlight any message where the foo
key equals 42.
jlog -e 'highlight($MSG|test("abc"))'
would highlight any message that contains "abc"
.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
pkg
|
|
parse/internal/fuzzsupport
Package fuzzsupport supports generating random syntactically-sound JSON logs.
|
Package fuzzsupport supports generating random syntactically-sound JSON logs. |
parse/internal/fuzzsupport/cmd/readLogCorpus
Command readLogCorpus reads files named on the command-line, translating them from the fuzzer's corpus file format to raw JSON logs.
|
Command readLogCorpus reads files named on the command-line, translating them from the fuzzer's corpus file format to raw JSON logs. |