Automatic log enrichment

Dynatrace automatically enriches logs ingested both via API.

Transform API-ingested logs

Generic log ingestion automatically transforms status, severity, level, and syslog.severity severity keys to the loglevel attribute.

The input values for the status, severity, level, and syslog.severity severity keys are transformed (transformation is not case sensitive) into output values for the loglevel attribute based on the following mapping:

Input value	Output value	Example value
Begins with `emerg` or `f`	`EMERGENCY`	`Emergency`, `fail`, `Failure`
Begins with `e` excluding `emerg`	`ERROR`	`Error`, `error`
Begins with `a`	`ALERT`	`alarm`, `Alert`
Begins with `c`	`CRITICAL`	`Critical`, `crucial`
Begins with `s`	`SEVERE`	`Severe`, `serious`
Begins with `w`	`WARN`	`warn`, `Warning`
Begins with `n`	`NOTICE`	`note`, `Notice`
Begins with `i`	`INFO`	`Info`, `information`
Begins with `d` or `trace` or `verbose`	`DEBUG`	`debug`, `TRACE`, `Verbose`

Transform all types of logs

Additionally, for each log event, a status attribute is created with a value that is a sum of loglevel values based on the following grouping:

Included `loglevel` values	Combined `status` attribute value
`SEVERE`, `ERROR`, `CRITICAL`, `ALERT`, `FATAL`, `EMERGENCY`	`ERROR`
`WARN`	`WARN`
`INFO`, `TRACE`, `DEBUG`, `NOTICE`	`INFO`
`NONE`	`NONE`

For example: The level severity key in the generic log ingestion API request parameter contains the value serious.

The level severity key is transformed into the loglevel attribute with the serious value mapped to SEVERE based on the above table.
The loglevel attribute containing the SEVERE value is grouped into status attribute. Based on the grouping table above, the status attribute will contain the ERROR value.
For the log event details, the log viewer will report the following:

status - ERROR
loglevel - SEVERE