Skip to content

feat: add verb to default audit labelKeys for ViaQ data model #3317

Description

@sradco

What this is / why we need it

When using the ViaQ data model with LokiStack, audit logs do not have verb as a Loki stream label by default. This means every audit query must do | json | verb=~"create" which requires parsing the full JSON of every log line.

The verb field is the most commonly used filter for audit log queries and has very low cardinality (~6 values: create, update, patch, delete, get, list). Adding it as a default stream label for audit logs would:

  • Eliminate full-JSON parsing for the most common filter
  • Partition the audit log stream effectively (most volume is get/list)
  • Match what the OTLP model already supports via structured metadata

Proposal

Add verb to the default labelKeys for audit logs in the ClusterLogForwarder LokiStack output when using ViaQ. For example:

spec:
  outputs:
    - name: lokistack-out
      type: lokiStack
      lokiStack:
        labelKeys:
          audit:
            labelKeys:
              - verb

Cardinality assessment

  • Only 6 possible values: create, update, patch, delete, get, list
  • Creates at most 6 additional streams per existing audit stream
  • Well within Loki's recommended "tens of values" guideline

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions