Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Correctly ingest logs #32

Merged
merged 1 commit into from
Oct 16, 2023
Merged

fix: Correctly ingest logs #32

merged 1 commit into from
Oct 16, 2023

Conversation

akash1810
Copy link
Member

@akash1810 akash1810 commented Oct 13, 2023
edited
Loading

What does this change?

This parser provides the correct time format for logs generated from ECS.

We were previously parsing the time field as %d/%b/%Y:%H:%M:%S %z, a different format, which was causing some logs to be dropped. It's difficult to identify exactly which log lines were dropped, however with this change the parsing errors seen below are all removed.

This change also fixes the hydration of logs with Stack, Stage, App markers by moving it to a separate directive. The process is now:

  1. Rename the log field to message
  2. Parse the message field as JSON
  3. Hydrate the log line with additional markers, including Stack, Stage, and App

Images

Firelens logs showing parsing errors, and dropped lines

image

Central ELK before

image

Central ELK after

image

@akash1810 akash1810 force-pushed the aa/ecs-parser branch 7 times, most recently from 77ccb85 to b7a57f5 Compare October 13, 2023 22:10
@akash1810 akash1810 changed the title fix: Use docker parser for ECS logs fix: Use custom parser to correctly process time field Oct 13, 2023
@akash1810 akash1810 marked this pull request as ready for review October 13, 2023 22:22
@akash1810 akash1810 requested a review from a team as a code owner October 13, 2023 22:22
This was referenced Oct 13, 2023
Closed
Merged
@akash1810 akash1810 changed the title fix: Use custom parser to correctly process time field fix: Correctly ingest logs Oct 16, 2023
@akash1810 akash1810 merged commit 1153950 into main Oct 16, 2023
6 checks passed
@akash1810 akash1810 deleted the aa/ecs-parser branch October 16, 2023 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AshCorr AshCorr AshCorr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akash1810 @AshCorr