poorejc commented on issue #243:
URL: 
https://github.com/apache/incubator-flagon-useralejs/issues/243#issuecomment-1107691833

   Update:
   
   This might be a `grokparsefailure` on tags that we add to logs with `grok` 
in logstash.conf.
   
   We parse the semantic version string of `useraleVersion` and `toolVersion` 
and add additional fields. However, it looks like only `useraleVersion` is 
being correctly parsed (I honestly can't remember why we're parsing 
this)--you'll see these fields in LogStash as `minor_version`, 
`patch_version`... and so forth. There should also be a `tool_minor_version` 
and `tool_patch_version`... not so. I see `grokparsefailure` messages. It could 
be the 3 `null` entries are failed tags. Note that they fall outside of the log 
payload braces...
   
   It could be other tags that LogStash adds by default for ELK indexing that 
`grok` filters are being applied to. Here's a message I see, for example:
   
   ```
   {
   
             "tags" => [
   
           [0] "_grokparsefailure"
   
       ],
   
       "@timestamp" => 2022-04-24T02:07:34.612Z,
   
             "port" => ,
   
             "host" => "gateway"
   
   }
   ```
   
   We also `mutate` logs to remove headers, for example. However, these 
wouldn't be a part of the `message` payload. Not sure if that would result in 
the message you're seeing...
   
   This is my best guess at this point without more information about how that 
log was generated (at exactly which stage in the pipeline you're looking), and 
what the consequences of the parsing failure is (dropped log, dropped field, 
etc.).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@flagon.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to