What this is / why we need it
When using the ViaQ data model with LokiStack, audit logs do not have verb as a Loki stream label by default. This means every audit query must do | json | verb=~"create" which requires parsing the full JSON of every log line.
The verb field is the most commonly used filter for audit log queries and has very low cardinality (~6 values: create, update, patch, delete, get, list). Adding it as a default stream label for audit logs would:
- Eliminate full-JSON parsing for the most common filter
- Partition the audit log stream effectively (most volume is get/list)
- Match what the OTLP model already supports via structured metadata
Proposal
Add verb to the default labelKeys for audit logs in the ClusterLogForwarder LokiStack output when using ViaQ. For example:
spec:
outputs:
- name: lokistack-out
type: lokiStack
lokiStack:
labelKeys:
audit:
labelKeys:
- verb
Cardinality assessment
- Only 6 possible values: create, update, patch, delete, get, list
- Creates at most 6 additional streams per existing audit stream
- Well within Loki's recommended "tens of values" guideline
Context
What this is / why we need it
When using the ViaQ data model with LokiStack, audit logs do not have
verbas a Loki stream label by default. This means every audit query must do| json | verb=~"create"which requires parsing the full JSON of every log line.The
verbfield is the most commonly used filter for audit log queries and has very low cardinality (~6 values: create, update, patch, delete, get, list). Adding it as a default stream label for audit logs would:Proposal
Add
verbto the defaultlabelKeysfor audit logs in theClusterLogForwarderLokiStack output when using ViaQ. For example:Cardinality assessment
Context