Window transform

A variant of ring buffer or backtrace logging implemented as a sliding window

A variant of ring buffer or backtrace logging implemented as a sliding window. Keeps events in a buffer until the flush_when condition is matched. When the buffer is full, the oldest events are dropped.

Configuration

Example configurations

{
  "transforms": {
    "my_transform_id": {
      "type": "window",
      "inputs": [
        "my-source-or-transform-id"
      ]
    }
  }
}

[transforms.my_transform_id]
type = "window"
inputs = [ "my-source-or-transform-id" ]

transforms:
  my_transform_id:
    type: window
    inputs:
      - my-source-or-transform-id

{
  "transforms": {
    "my_transform_id": {
      "type": "window",
      "inputs": [
        "my-source-or-transform-id"
      ],
      "num_events_before": 100
    }
  }
}

[transforms.my_transform_id]
type = "window"
inputs = [ "my-source-or-transform-id" ]
num_events_before = 100

transforms:
  my_transform_id:
    type: window
    inputs:
      - my-source-or-transform-id
    num_events_before: 100

flush_when

required condition

A condition used to flush the events.

If the condition resolves to true for an event, the whole window is immediately flushed, including the event itself, and any following events if num_events_after is more than zero.

flush_when.source

The text of the condition. The syntax of the condition depends on the value of type.

flush_when.type

The type of condition to supply. See Available syntaxes below for a list of available types for this transform.

Available syntaxes

Syntax	Description	Example
`vrl`	A Vector Remap Language (VRL) Boolean expression.	`.status_code != 200 && !includes(["info", "debug"], .severity)`
`datadog_search`	A Datadog Search query string.	`*stack`
`is_log`	Whether the incoming event is a log.
`is_metric`	Whether the incoming event is a metric.
`is_trace`	Whether the incoming event is a trace.

Shorthand for VRL

If you opt for the vrl syntax for this condition, you can set the condition as a string via the condition parameter, without needing to specify both a source and a type. The table below shows some examples:

Config format	Example
YAML	`condition: .status == 200`
TOML	`condition = ".status == 200"`
JSON	`"condition": ".status == 200"`

Condition config examples

Standard VRL

flush_when:
  type: "vrl"
  source: ".status == 500"

flush_when = { type = "vrl", source = ".status == 500" }

"flush_when": {
  "type": "vrl",
  "source": ".status == 500"
}

Datadog Search

flush_when:
  type: "datadog_search"
  source: "*stack"

flush_when = { type = "datadog_search", source = "*stack" }

"flush_when": {
  "type": "datadog_search",
  "source": "*stack"
}

VRL shorthand

flush_when: ".status == 500"

flush_when = ".status == 500"

"flush_when": ".status == 500"

forward_when

optional condition

A condition used to pass events through the transform without buffering.

If the condition resolves to true for an event, the event is immediately forwarded without buffering and without preserving the original order of events. Use with caution if the sink cannot handle out of order events.

forward_when.source

The text of the condition. The syntax of the condition depends on the value of type.

forward_when.type

The type of condition to supply. See Available syntaxes below for a list of available types for this transform.

Available syntaxes

Syntax	Description	Example
`vrl`	A Vector Remap Language (VRL) Boolean expression.	`.status_code != 200 && !includes(["info", "debug"], .severity)`
`datadog_search`	A Datadog Search query string.	`*stack`
`is_log`	Whether the incoming event is a log.
`is_metric`	Whether the incoming event is a metric.
`is_trace`	Whether the incoming event is a trace.

Shorthand for VRL

Config format	Example
YAML	`condition: .status == 200`
TOML	`condition = ".status == 200"`
JSON	`"condition": ".status == 200"`

Condition config examples

Standard VRL

forward_when:
  type: "vrl"
  source: ".status == 500"

forward_when = { type = "vrl", source = ".status == 500" }

"forward_when": {
  "type": "vrl",
  "source": ".status == 500"
}

Datadog Search

forward_when:
  type: "datadog_search"
  source: "*stack"

forward_when = { type = "datadog_search", source = "*stack" }

"forward_when": {
  "type": "datadog_search",
  "source": "*stack"
}

VRL shorthand

forward_when: ".status == 500"

forward_when = ".status == 500"

"forward_when": ".status == 500"

graph

optional object

Extra graph configuration

Configure output for component when generated with graph command

graph.node_attributes

optional object

Node attributes to add to this component’s node in resulting graph

They are added to the node as provided

graph.node_attributes.*

required string literal

A single graph node attribute in graphviz DOT language.

Examples

{
  "color": "red",
  "name": "Example Node",
  "width": "5.0"
}

inputs

required [string]

A list of upstream source or transform IDs.

Wildcards (*) are supported.

See configuration for more info.

Array string literal

Examples

[
  "my-source-or-transform-id",
  "prefix-*"
]

num_events_after

optional uint

The maximum number of events to keep after the event matched by the flush_when condition.

num_events_before

optional uint

The maximum number of events to keep before the event matched by the flush_when condition.

default: 100

Outputs

<component_id>

Default output stream of the component. Use this component’s ID as an input to downstream transforms and sinks.

Telemetry

Metrics

link

component_discarded_events_total

counter

The number of events dropped by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

intentional

True if the events were discarded intentionally, like a filter transform, or false if due to an error.

pid optional

The process ID of the Vector instance.

component_errors_total

counter

The total number of errors encountered by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

error_type

The type of the error

host optional

The hostname of the system Vector is running on.

pid optional

The process ID of the Vector instance.

stage

The stage within the component at which the error occurred.

component_received_event_bytes_total

counter

The number of event bytes accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_received_events_count

histogram

A histogram of the number of events passed in each internal batch in Vector’s internal topology.

Note that this is separate than sink-level batching. It is mostly useful for low level debugging performance issues in Vector due to small internal batches.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_received_events_total

counter

The number of events accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_sent_event_bytes_total

counter

The total number of event bytes emitted by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

output optional

The specific output of the component.

pid optional

The process ID of the Vector instance.

component_sent_events_total

counter

The total number of events emitted by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

output optional

The specific output of the component.

pid optional

The process ID of the Vector instance.

stale_events_flushed_total

counter

The number of stale events that Vector has flushed.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

pid optional

The process ID of the Vector instance.

utilization

gauge

A ratio from 0 to 1 of the load on a component. A value of 0 would indicate a completely idle component that is simply waiting for input. A value of 1 would indicate a that is never idle. This value is updated every 5 seconds.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

pid optional

The process ID of the Vector instance.

Examples

Flush recent events when an error happens

Given this event...

[{"log":{"level":"info","message":"A01"}},{"log":{"level":"debug","message":"A02"}},{"log":{"level":"info","message":"A03"}},{"log":{"level":"debug","message":"A04"}},{"log":{"level":"error","message":"A05"}},{"log":{"level":"debug","message":"A06"}},{"log":{"level":"warning","message":"A07"}},{"log":{"level":"info","message":"A08"}},{"log":{"level":"debug","message":"A09"}},{"log":{"level":"info","message":"A10"}}]

...and this configuration...

transforms:
  my_transform_id:
    type: window
    inputs:
      - my-source-or-transform-id
    flush_when: .level == "error"
    num_events_before: 2
    num_events_after: 2

[transforms.my_transform_id]
type = "window"
inputs = [ "my-source-or-transform-id" ]
flush_when = '.level == "error"'
num_events_before = 2
num_events_after = 2

{
  "transforms": {
    "my_transform_id": {
      "type": "window",
      "inputs": [
        "my-source-or-transform-id"
      ],
      "flush_when": ".level == \"error\"",
      "num_events_before": 2,
      "num_events_after": 2
    }
  }
}

...this Vector event is produced:

[{"log":{"level":"info","message":"A03"}},{"log":{"level":"debug","message":"A04"}},{"log":{"level":"error","message":"A05"}},{"log":{"level":"debug","message":"A06"}},{"log":{"level":"warning","message":"A07"}}]

Pass events through without preserving the order

Given this event...

[{"log":{"level":"info","message":"A01"}},{"log":{"level":"debug","message":"A02"}},{"log":{"level":"info","message":"A03"}},{"log":{"level":"debug","message":"A04"}},{"log":{"level":"error","message":"A05"}},{"log":{"level":"debug","message":"A06"}},{"log":{"level":"warning","message":"A07"}},{"log":{"level":"info","message":"A08"}},{"log":{"level":"debug","message":"A09"}},{"log":{"level":"info","message":"A10"}}]

...and this configuration...

transforms:
  my_transform_id:
    type: window
    inputs:
      - my-source-or-transform-id
    flush_when: .level == "error"
    forward_when: .level == "info"
    num_events_before: 2
    num_events_after: 2

[transforms.my_transform_id]
type = "window"
inputs = [ "my-source-or-transform-id" ]
flush_when = '.level == "error"'
forward_when = '.level == "info"'
num_events_before = 2
num_events_after = 2

{
  "transforms": {
    "my_transform_id": {
      "type": "window",
      "inputs": [
        "my-source-or-transform-id"
      ],
      "flush_when": ".level == \"error\"",
      "forward_when": ".level == \"info\"",
      "num_events_before": 2,
      "num_events_after": 2
    }
  }
}

...this Vector event is produced:

[{"log":{"level":"info","message":"A01"}},{"log":{"level":"info","message":"A03"}},{"log":{"level":"debug","message":"A02"}},{"log":{"level":"debug","message":"A04"}},{"log":{"level":"error","message":"A05"}},{"log":{"level":"debug","message":"A06"}},{"log":{"level":"warning","message":"A07"}},{"log":{"level":"info","message":"A08"}},{"log":{"level":"info","message":"A10"}}]

How it works

Advantages of Use

A common way to reduce log volume from a verbose system is to filter out less important messages, and only ingest errors and warnings. However, an error message by itself may not be sufficient to determine the cause, as surrounding events often contain important context information leading to the failure.

The window transform allows for reduction of log volume by filtering out logs when the system is healthy, but preserving detailed logs when they are most relevant.

Sliding Window

As the stream of events passes through the transform, it is observed though a “window” that spans between num_events_before and num_events_after relative to an event matched by the flush_when condition. When the condition is matched, the whole window is flushed to the output. This is also known as backtrace logging or ring buffer logging.

Past events are stored in a memory buffer with the capacity of num_events_before. When the buffer is full, the oldest events are dropped to make space for new ones. The buffer is not persistent, so in case of a hard system crash, all the buffered events will be lost.

Future events are counted from the event matched by the flush_when condition until num_events_after number of events is reached.

If the flush_when condition is matched before the buffer fills up, it will be flushed again. If the flush condition is triggered often enough (for example, the system is constantly logging errors), the transform may always be in the flushing state, meaning that no events will be filtered. Therefore it works best for conditions that are relatively uncommon.

State

This component is stateful, meaning its behavior changes based on previous inputs (events). State is not preserved across restarts, therefore state-dependent behavior will reset between restarts and depend on the inputs (events) received since the most recent restart.