Search JSON in Logs

De-structured JSON Queries

Wrble flattens and indexes all valid JSON objects that occur in log lines. Here's how you can send the lines and the search syntax.

Sending JSON to Wrble

You can include JSON anywhere in the string using any of our ingestion methods.

Some samples that work.

Syslog/Rsyslog:

<1>0 2020-10-27T12:11:20,755 6e74d6f0f274 coordinator 0 0 [wrble_XYZ@56006] NEW USER: {"key":"value", "otherkey":5}

HTTP:

CRASH: {"error":"details", "account":{"id":5, "flags":["holidayON"]}}

Searching JSON Structures

Basic top-level query as in the Syslog example above:
key:value

To query into the structure, use dot-notation like this as in the HTTP example above:
account.id:5

Arrays can be queried by specifying the array key and a value:
account.flags:holidayON

NOTES

  • Partial JSON objects will produce nothing, so {"key":"value" will not be searchable unless the trailing } is added.
  • JSON split across message lines will note be searchable, make sure line-breaks and anything else breaking are correctly escaped. UDP fragmentation would also cause a parse failure.
  • We also support key=value syntax if you're worried about larger structures being split.