TL; DR: Google Cloud accepts structured logs ingested from different sources but will not index fields automatically. So by default the ingested jsonPayload will not be optimised for query. Here’s how to add indexes to it using Terraform.
# HCL
resource "google_logging_project_bucket_config" "default" {
count = var.destination.type == "logging_bucket" ? 1 : 0
project = var.project
location = "global"
retention_days = try(var.destination.rentention, 30)
bucket_id = try(var.destination.bucket, var.name)
dynamic "index_configs" {
for_each = { for i in var.indexes : i.field_path => i }
content {
field_path = index_configs.value.field_path
type = index_configs.value.type
}
}
}
# in the sample input ip, host and path will be indexed so query based on these fields
# will be much faster in Logs Explorer
indexes = [
{
field_path = "jsonPayload.ip"
type = "INDEX_TYPE_STRING"
},
{
field_path = "jsonPayload.host"
type = "INDEX_TYPE_STRING"
},
{
field_path = "jsonPayload.path"
type = "INDEX_TYPE_STRING"
},
]🙂