LoggiFly

Appearance

Extracting JSON Fields

When your logs are in JSON format, all JSON keys automatically become available as template fields in both message_template and title_template.

How It Works

LoggiFly automatically parses JSON logs and makes all keys accessible in your templates. This works for both keyword and regex patterns.

Here is an example where you want to catch this long json log entry from Authelia:

json
{
  "level": "error",
  "method": "POST",
  "msg": "Unsuccessful 1FA authentication attempt by user 'example_user' and they are banned until 12:23:00PM on May 1 2025 (+02:00)",
  "path": "/api/firstfactor",
  "remote_ip": "192.168.178.191",
  "stack": [
    {
      "File": "github.com/authelia/authelia/v4/internal/handlers/response.go",
      "Line": 274,
      "Name": "doMarkAuthenticationAttemptWithRequest"
    },
    {
      "File": "runtime/asm_amd64.s",
      "Line": 1700,
      "Name": "goexit"
    }
  ],
  "time": "2025-05-01T14:19:29+02:00"
}

You can use message_template to extract fields from the json log entry:

yaml
containers:
  rules:
    - container_name: authelia
      keywords:
        - keyword: Unsuccessful 1FA authentication
          title_template: "Failed login from {{ remote_ip }}"
          message_template: |
            🚨 Failed Login Attempt:
            {{ msg }}
            🔎 IP: {{ remote_ip }}
            🕐 {{ time }}

Nested JSON Structures

You can also extract data from nested JSON structures, including dictionaries and lists:

  • {{ key }} for top-level fields
  • {{ dict['key'] }} or {{ dict.key }}for nested fields
  • {{ list[0]['key'] }} for list access (indices starting at 0)

INFO

Dot notation ({{ dict.key }}) only works for keys that are valid Python identifiers, so alphanumeric and underscores only. Use bracket notation for keys with hyphens, spaces, dots, or other special characters.
For example, use {{ dict['key-with-hyphen'] }} as {{ dict.key-with-hyphen }} would not work.

Example JSON log entry:

json
{
  "event": "login",
  "user": {
    "name": "admin",
    "roles": [
      {"name": "superuser"},
      {"name": "editor"}
    ]
  },
  "location": {
    "city": "Berlin",
    "country": "Germany"
  }
}

Example template:

yaml
containers:
  rules:
    - container_name: myapp
      keywords:
        - keyword: "login"
          message_template: |
            User {{ user['name'] }} logged in from {{ location['city'] }}
            Role: {{ user['roles'][0]['name'] }}

Output:

User admin logged in from Berlin
Role: superuser