Skip to main content

Step 3: Route by Event Type

In addition to severity, another common routing key is the event type. For example, you might want to send all events related to payments to a special fraud detection system, regardless of their log level.

This step teaches you how to add routing logic based on a field like event_type.

The Goal

You will modify your switch output so that any message with event_type: "payment" is sent to a dedicated payments.jsonl file, taking priority over the existing severity-based routing.

Implementation

  1. Start with the Previous Pipeline: Copy the severity-router.yaml from Step 1 to a new file named event-router.yaml.

    cp severity-router.yaml event-router.yaml

  2. Add the Event Type Routing Rule: Open event-router.yaml and add a new case to the top of your switch block. Placing it at the top gives it the highest priority.

    Modify the 'output' in event-router.yaml
    output:
      switch:
        cases:
          # --- START: New addition ---
          # Case 1: Handle all 'payment' events first for fraud analysis.
          - check: 'this.event_type == "payment"'
            output:
              file:
                path: /tmp/payments.jsonl
                codec: lines
          # --- END: New addition ---

          # Case 2: Handle CRITICAL events (that are not payment events)
          - check: 'this.level.string().uppercase() == "ERROR"'
            output:
              file:
                path: /tmp/errors.jsonl
                codec: lines

          # Case 3: Handle WARN events (that are not payment events)
          - check: 'this.level.string().uppercase() == "WARN"'
            output:
              file:
                path: /tmp/warnings.jsonl
                codec: lines

  3. Deploy and Test:

    # Send a CRITICAL event that is also a payment event
    curl -X POST http://localhost:8080/ingest -d '{"level": "ERROR", "event_type": "payment", "message": "High-risk transaction"}'

    # Send a regular CRITICAL event
    curl -X POST http://localhost:8080/ingest -d '{"level": "ERROR", "event_type": "login", "message": "Auth failure"}'

  4. Verify: Check your output files.

    • The first event, despite being an ERROR, will be in payments.jsonl because the first rule in the switch matched it.
    • The second event will be in errors.jsonl because it did not match the payment rule and fell through to the severity-based routing.

You have now built a routing system that can make decisions based on multiple different fields in your data.