kelora 0.2.2

A command-line log analysis tool with embedded Rhai scripting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

📄 Input Format Spec: docker

Format Name

-f docker


⸻

🎯 Purpose

Parse log output from:
	•	docker logs (single container)
	•	docker compose logs (multi-container, prefixed)

Into structured Kelora events with the following fields:
	•	msg (required): the main log message
	•	src (optional): container/service name from Compose
	•	ts (optional): parsed timestamp, if present

⸻

🧬 Input Variants

1. Compose with timestamp

web_1    | 2024-07-27T12:34:56.123456789Z GET /health 200

➡

{
  "src": "web_1",
  "ts": "2024-07-27T12:34:56.123456789Z",
  "msg": "GET /health 200"
}


⸻

2. Compose without timestamp

db_1     | Connection established

➡

{
  "src": "db_1",
  "msg": "Connection established"
}


⸻

3. Raw docker logs with timestamp

2024-07-27T12:34:56Z GET /api

➡

{
  "ts": "2024-07-27T12:34:56Z",
  "msg": "GET /api"
}


⸻

4. Raw docker logs without timestamp

Started app in 3.1s

➡

{
  "msg": "Started app in 3.1s"
}


⸻

🔎 Parsing Logic
	1.	Split on first | (Compose prefix)
	•	If found:
	•	Left becomes source (trimmed)
	•	Right becomes payload
	•	If not found:
	•	Entire line is payload
	2.	Try to parse timestamp from start of payload
	•	If payload begins with a known timestamp format:
	•	Extract timestamp as ts
	•	Remaining string becomes msg
	•	If no timestamp:
	•	Entire payload is msg
	3.	Trim all fields

⸻

🕓 Timestamp Parsing
	•	Supports RFC3339/ISO8601 with/without nanoseconds
	•	Example accepted formats:
	•	2024-07-27T12:34:56Z
	•	2024-07-27T12:34:56.123Z
	•	2024-07-27T12:34:56.123456789Z

Uses the same adaptive timestamp parser as other formats, respecting:
	•	--ts-format
	•	--ts-field (not applicable for this format, ignored)
	•	--input-tz

⸻

⚙️ Options

Flag	Description
--strict	Fail on malformed input (invalid timestamp, no msg)
--input-tz	Timezone to assume for naive timestamps
--docker-drop-source (optional)	Do not include the source field in output (discard Compose prefixes)


⸻

📦 Output Schema

Event {
  fields: IndexMap<String, FieldValue> = {
    "msg": "...",              // always present
    "src": "...",              // optional
    "ts": "...",               // optional, parsed as DateTime
  },
  ts: Option<DateTime>,         // populated from "ts" field
  level: Option<String>,        // inferred manually if user defines it
  msg: Option<String>,          // set from "msg" field
}


⸻

❌ Not Supported
	•	Mixed formats (Compose + JSON)
	•	Docker logs in JSON mode (--log-driver=json-file) — use -f jsonl instead
	•	Container labels, stream identifiers, etc. (not in text logs)

⸻

🧪 Example CLI Usage

docker compose logs --timestamps | kelora -f docker --filter 'e.src == "web" && e.msg.contains("500")'

docker logs myapp | kelora -f docker --filter 'e.msg.contains("timeout")'