Understanding how the Logging agent parses severities

The IBM Cloud Logs Logging agent will attempt to determin the severity value of a routed log record. If the Logging agent cannot determine the severity of a log record, it sets the severity to info.

The severity of a log record is extracted after the log was picked up and modified by the Logging agent. This means, that all filters and modifications defined in the Logging agent configuration are applied before the record is parsed in preparation for sending it to an IBM Cloud Logs instance.

Severity parsing is done in a specific order. As soon as a match is found, the parsing is completed and subsequent steps are not executed.

First, the top level elements of the record are searched for fields named severity, level or logLevel, in that order. If a match is found, the corresponding value is mapped according to the mapping table. The mapping is case-insensitive and will find all upper-case and lower-case spellings.

If the first step did not yield any results, the same fields (severity, level or logLevel) are searched nested below the keys message and log. If a match is found, the value is mapped as described in the mapping table, where upper-case and lower-case spellings are not relevant.

Should the first steps not find any of the predefined field names, a simple text search is applied to fields named message and log. In this case, the search is case-sensitive and will only find the spellings defined in the mapping table.