-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pkg/ottl] ParseSeverity function #35079
Comments
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
@djaglowski we support map literals now, will that help? The grammar supports:
As a reference for discussion, the existing solution would be multiple statements with conditions:
Any additional function will need to be simpler than those statements. |
It is possible that the solution doesn't need to be an additional function and instead could be a additional section in the transformprocessor config. |
I don't think this is sufficient for ranges, which are a common use case with severity interpretation.
I don't think that's difficult but performance should also be a consideration here. I'll give another example of statements which could be much clearer and more performant with a better solution. In this case, HTTP status codes are interpreted into severity number and text:
This is both difficult to understand and not very performant since each statement must execute against each log record, and because the statements themselves are non-trivial to evaluate. In contrast, the stanza is far simpler to understand: severity:
parse_from: body["status"]
mapping:
debug:
- min: 100
max: 199
info:
- min: 200
max: 299
- min: 300
max: 399
warn:
- min: 400
max: 499
error:
- min: 500
max: 599
# (Actually it can be even simpler but this is a special case where aliases represent predefined ranges)
# mapping:
# debug: 1xx
# info:
# - 2xx
# - 3xx
# warn: 4xx
# error: 5xx Additionally, there is a substantial performance optimization which occurs with the stanza configuration. Specifically, we're able to put all values into a map at startup, so that every log records requires exactly one map lookup. I don't have strong opinions about exactly which form this should take in OTTL but I think it should be supported in some way that avoids such dense and wasteful statements. |
hi, i vote for this feature request, because
in that case logs will contain SeverityText, there will be "err", "crit", but I would like to compare it with the more well-known "ERROR", "FATAL" etc.
And only transformation can lead to the solution:
|
@s71m if you are using udp receiver you can define your own severity mapping as part of |
@djaglowski thx for reply! I'm using both, syslog-ng on remote vps actually via tcp, but for severity need to define field "parse_from", and i cant figured it out, which field i need to pass. |
I'd like to look into implementing this |
@bacherfl if you've got ideas please share them here before working on a PR. We haven't yet landed on a proper way to express the map feature that stanza has in OTTL. |
alright, will post my thoughts here as soon as i have a possible approach |
Component(s)
pkg/ottl
Is your feature request related to a problem? Please describe.
OTTL can directly set severity number and text, but it would be nice if there was an optimized function for interpreting values. Stanza currently has a dedicated severity interpreter which has a couple advantages over using OTTL:
Describe the solution you'd like
The primary challenge with OTTL is that its functional nature may not lend itself well to specifying mappings. I'm not sure if there is a way to do this today, but I'd like users to be able to specify a function that contains an arbitrary number of mapping options. e.g.
ParseSeverity(attributes["sev"], AsError("err", "error", "NOOO"), AsInfo("info", "hey"), AsInfoRange(1, 100), ...)
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: