[07:12:37] good morning. I have fun one for logstash! [07:13:08] when we deploy MediaWiki, we first push it to canaries server which are defined in puppet/etcd/conftool and the list of canaries thus tend to change [07:18:55] scap invokes modules/service/files/logstash_checker.py with the list of canaries and if there are errors after like 10 Seconds, it aborts [07:19:31] we do output a dashboard URL which has a set of host hardcoded in the lucene query, and of course as canaries are migrated via puppet/etcd , the query in the dashboard get obsolete and thus useless [07:20:05] so I am looking for a way to tag messages emitted by canaries with some specific field which could be then used on that Kibana dashboard [07:24:57] then the dashboard query would no more be tied to the hostnames ;) [07:27:38] make sense to me, I think I've seen some chatter re: mediawiki using 'servergroup' in its logs to tag canaries? [07:28:06] I think mw/serviceops folks would have more info, the solution you outlined seems the right thing to do to me [07:30:30] oh [07:30:45] I did notice the somewhat newish servergroup which help split between app and api servers [07:31:31] ah yeah I might be wrong about the usage/scope of servergroup but you get the idea [07:32:34] we have different puppet profiles for appserver / api_appserver and for their equivalent canaries [07:32:44] so I guessI can look at adding some new field such as canary: yes [07:33:32] thank godog for the lead! [07:33:51] hashar: sure np! [07:46:17] godog: a related question, may I get an emitted field to be recognized as a boolean by logstash/elasticsearch? I thought about: canary: true :D [07:47:43] or maybe the PHP logging stack is smart enough to find out that the PHP variable being a boolean, it is emitted as a boolean to logstash which would then index it as a boolean as well [07:48:18] not 100% sure about the php logging part, but the latter part yes should happen as you described [07:48:43] great, ets assume that computers and other developers are smarter than me. Thank you !