Log data auto-mapping and mapping

Release version: Yokohama

Updated January 30, 2025

4 minutes to read

Summarize

Summarized using AI

Summary of Log data auto-mapping and mapping

Health Log Analytics in ServiceNow automatically maps incoming log lines to tags such as service instance, component, and source type to organize and analyze logs efficiently. It extracts key data from log fields and enables manual refinement of mapping through JavaScript functions. This capability supports logical organization, anomaly detection, and root cause analysis (RCA) by correlating log data to Configuration Items (CIs) in the CMDB.

Show full answer Show less

Auto-Mapping and Manual Mapping

Auto-mapping: Assigns log data to service instance (defined in data input setup), component, and source type based on fields like source, path, and syslog tags.
Manual mapping: Users can customize or override mappings by defining JavaScript functions during data input configuration.
Test mode: Allows testing mapping scripts on sample data without affecting production storage. Temporary indices store test results and are deleted once scripts are published and Test mode exits.

Data Extraction Control

Stop extraction of unneeded data: Prevents capturing redundant or non-descriptive information to maintain clean log data.
Ensure extraction of specific data: Forces extraction of desired terms, improving accuracy in component mapping.

Data Input and Source Management

Mapping allows organizing logs by service instances and availability zones, with unique service instance-component pairs and multiple source types per component.
Limits on the number of sources per data input can be configured to avoid excessive creation due to faulty mapping scripts. Warnings and critical limits trigger notifications and can halt data input streaming to protect system resources.

Binding Logs to Configuration Items (CIs)

Binding log entries to service instances linked to CIs in the CMDB enables correlation within Health Log Analytics for more effective root cause analysis.

Additional Features

Header properties detection: Automatically separates transport headers from actual log messages to ensure clean data processing.
Visualization: Explore many-to-many relationships between source types and log sources to optimize log data mapping and management.

By default, the Health Log Analytics AI engine tries to auto-map every incoming log line to the correct tags. You can change automatic mapping results manually by defining a JavaScript function.

Auto-mapping incoming log lines

Health Log Analytics auto-mapping assigns log samples and metadata to three tags: service instance, component, and source type. The service instance assignment is based on the service instance specified in the data input setup. The remaining tags are assigned automatically.

For example, in the following example log line, Health Log Analytics uses the "source" field to find the component and source type.

{"beat":{"version":"6.8","name":"abc3.prd.acme.com","hostname":"abc3.prd.acme.com"},"@timestamp":"2020-08-27T10:12:24.792Z","prospector":{"type":"log"},"message":"**** User null is requesting the following page http://www.acme.com PROPS:{"subcategory1":"home pages","httpStatus":"200","loginLevel":"Anonymous","userAgent":"Mozilla5.0", ("pageUrl":\"http://www.acme.com","host":"abc3.prd.acme.com","@version":"1","source":"/opt/oracle/weblogic/abc/online_store3/logs/online_store3.out","offset":3951550786}

In the example, Health Log Analytics extracts the string "online_store". It analyzes the following fields if they exist in the log line: source, path, channel, namespace_name, name, pod_name, source_name, and aws_lambda_name. When data is sent over Syslog, it also analyzes the syslog tag.

Stop extraction of unneeded data: If an extracted string is not descriptive enough or contains redundant text or information, you can stop extracting such expendable data. For more information, see Stop extraction of unneeded log data.
Ensuring extraction of specific data: You can make sure that Health Log Analytics extracts specific desired terms. For more information, see Ensure extraction of specific log data.

Mapping data input sources

You can change automatic mapping results manually by defining a JavaScript function. Data input mapping enables you to organize your log data by service instance and by availability zone. A single service instance can include multiple components, and a component can receive logs from many different source types. An service instance-component pair, however, is unique. Source types are based on a specific log structure and format. Service instances and components are defined more broadly and are therefore used mainly for logical mapping.

Activating Test mode avoids blowing up Elasticsearch storage with sample data that is used only for perfecting the log data mapping. When the data input is in Test mode, Health Log Analytics doesn’t create the source types, sources, or any other objects it creates in the standard flow. It saves the streamed data in dedicated temporary Elasticsearch indices that appear as components in the Log viewer. When you publish the script and exit Test mode, these temporary indices are deleted to minimize storage space consumption.

When you're defining a JavaScript function, select Test to view the outcome of the script as it is currently specified. This functionality enables you to preview the created source types and sources. You can then refine the script until it achieves the desired outcome. For example, it can be useful to compare the test outcome of several versions of the JavaScript function.

Note:

By default, the test processes 100 log data samples. You can customize this number in the system properties. For more information, see Configure global Health Log Analytics system properties.

During the data input setup, the system might create an excessive total number of data input sources. For example, this can be due to a faulty mapping script. You can configure limits for the number of sources created per data input in the system properties:


System property	Description	Default
log_source.sources_warning_limit	The warning limit for the number of sources created per data input.	500
log_source.sources_critical_limit	The critical limit for the number of sources created per data input.	600

The number of log sources that a specific data input has created displays in the Sources count field for that data input. When the total number of sources created during the data input setup reaches the warning limit, the system sends a warning notification by email. It also displays a message on the Data Input mapping, Log sources, and Data input pages. The notification and the message include the total number of sources created so far and the three data inputs that contributed the most sources to this total. If no action is taken, the system continues to create sources until the total number reaches the critical limit. When this happens, the data input setup and streaming from all data inputs stops automatically. You can't start data inputs again manually until the issue has been resolved. You can resolve this state by following the instructions in the How to handle too many sources in data inputs [KB0963067] article in the Now Support Knowledge Base.

Binding log data

Binding log data to Configuration Items (CIs) in the Configuration Management Database (CMDB) enables you to search the CMDB for endpoints that match a log. When you configure a data input, you bind log entries to a service instance that is bound to a CI in the CMDB. Binding log entries, service instances, and CIs enables the Health Log Analytics AI engine to correlate them for use in root cause analysis (RCA). For more information, see Configure Rsyslog, Filebeat, or Winlogbeat data inputs or Configure Elasticsearch data inputs.