[pkg/ottl] ParseSeverity function #35079
Comments
djaglowski
added
enhancement
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
@djaglowski we support map literals now, will that help? The grammar supports: As a reference for discussion, the existing solution would be multiple statements with conditions: Any additional function will need to be simpler than those statements. |
|
It is possible that the solution doesn't need to be an additional function and instead could be a additional section in the transformprocessor config. |
I don't think this is sufficient for ranges, which are a common use case with severity interpretation.
I don't think that's difficult but performance should also be a consideration here. I'll give another example of statements which could be much clearer and more performant with a better solution. In this case, HTTP status codes are interpreted into severity number and text: This is both difficult to understand and not very performant since each statement must execute against each log record, and because the statements themselves are non-trivial to evaluate. In contrast, the stanza is far simpler to understand: severity:
parse_from: body["status"]
mapping:
debug:
- min: 100
max: 199
info:
- min: 200
max: 299
- min: 300
max: 399
warn:
- min: 400
max: 499
error:
- min: 500
max: 599
# (Actually it can be even simpler but this is a special case where aliases represent predefined ranges)
# mapping:
# debug: 1xx
# info:
# - 2xx
# - 3xx
# warn: 4xx
# error: 5xxAdditionally, there is a substantial performance optimization which occurs with the stanza configuration. Specifically, we're able to put all values into a map at startup, so that every log records requires exactly one map lookup. I don't have strong opinions about exactly which form this should take in OTTL but I think it should be supported in some way that avoids such dense and wasteful statements. |
|
hi, i vote for this feature request, because in that case logs will contain SeverityText, there will be "err", "crit", but I would like to compare it with the more well-known "ERROR", "FATAL" etc. And only transformation can lead to the solution: |
|
@s71m if you are using udp receiver you can define your own severity mapping as part of |
@djaglowski thx for reply! I'm using both, syslog-ng on remote vps actually via tcp, but for severity need to define field "parse_from", and i cant figured it out, which field i need to pass. |
TylerHelmuth
changed the title
|
I'd like to look into implementing this |
|
@bacherfl if you've got ideas please share them here before working on a PR. We haven't yet landed on a proper way to express the map feature that stanza has in OTTL. |
alright, will post my thoughts here as soon as i have a possible approach |
|
One thing we might do here is make use of the map literals we introduced recently. This would allow to specify the log level mapping in a similar way as in stanza: In the example above, the numeric code is used to determine the error level, but the struct being used by the ParseSeverity function could also be extended with e.g. an array of strings (or regexes) that would map to a certain log level, e.g.: @TylerHelmuth @djaglowski please let me know your thoughts - do you think this could be a valid approach here? |
|
@bacherfl, it seems promising. One limitation of this vs stanza would be that in stanza you can provide multiple independent items for each level, where each item may be a literal match or something else like a range. e.g. error:
- nooo
- bad
- min: 500
max: 599
info:
- ok
- success
- min: 200
max: 299Do you see a way to allow this? Maybe each severity key could point to a slice that can contain any combination of strings and "min/max structs"? |
|
@djaglowski OTTL definitely supports that syntax and it looks like that would be a one-to-one match with stanza. |
|
Thanks for the feedback! That's a good suggestion and will make the structure more concise. In this case I will proceed to turn my PoC into a proper PR, with these changes in mind. I will keep you updated once it's ready for a first round of reviews |
|
Since map literal syntax in OTTL is kinda gross, should we add something to the transformprocessor ContextStatement struct to defining map literals in yaml that could get turned into strings and passed into the OTTL parser? Would be pretty cool to be able to copy and paste a filelogreciever severity config into the transformprocessor config |
|
Do you mean something like this? And then the transform processor will, before calling |
|
Ya something like that. We've never done statement templating like this before and it is risky, but it really like being able to reuse stanza's yaml config. @evan-bradley @edmocosta @djaglowski what do you think? |
|
That sounds like a good idea - Let's see what the others say, I'd be happy to look into implementing this after this function is done |
|
I understand this issue is about parsing severities, but I think a converter capable of doing value translations/lookups would be useful for other use cases as well, not only for parsing severities. That said, I'm wondering if we should implement a broader/generic solution for that instead? It would initially support this issue's requirements (literal values and ranges), and could be extended on the future to support for example, slices (multiple lookups), regexes, fallback values, functions, etc. WDYT?
I agree it might be risky, and I'm wondering how we would implement it. Would it be specific for the I like the idea of being able to interpolate/reuse configurations, but I'm still not sure if I would make it part of the transform processor's configuration. Furthermore, the Thoughts? |
|
I like the idea of offering another way to define literals, but can I suggest that be a separate issue? I think severity parsing will be useful even if the syntax is verbose. |
|
Ok lets move the parsing literals idea into a new issue and move forward with #35079 (comment). Handling literals can be an enhancement later. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners: See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
Component(s)
pkg/ottl
Is your feature request related to a problem? Please describe.
OTTL can directly set severity number and text, but it would be nice if there was an optimized function for interpreting values. Stanza currently has a dedicated severity interpreter which has a couple advantages over using OTTL:
Describe the solution you'd like
The primary challenge with OTTL is that its functional nature may not lend itself well to specifying mappings. I'm not sure if there is a way to do this today, but I'd like users to be able to specify a function that contains an arbitrary number of mapping options. e.g.
ParseSeverity(attributes["sev"], AsError("err", "error", "NOOO"), AsInfo("info", "hey"), AsInfoRange(1, 100), ...)Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: