[pkg/ottl] ParseSeverity function #35079
Comments
djaglowski
added
enhancement
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
@djaglowski we support map literals now, will that help? The grammar supports: As a reference for discussion, the existing solution would be multiple statements with conditions: Any additional function will need to be simpler than those statements. |
|
It is possible that the solution doesn't need to be an additional function and instead could be a additional section in the transformprocessor config. |
I don't think this is sufficient for ranges, which are a common use case with severity interpretation.
I don't think that's difficult but performance should also be a consideration here. I'll give another example of statements which could be much clearer and more performant with a better solution. In this case, HTTP status codes are interpreted into severity number and text: This is both difficult to understand and not very performant since each statement must execute against each log record, and because the statements themselves are non-trivial to evaluate. In contrast, the stanza is far simpler to understand: severity:
parse_from: body["status"]
mapping:
debug:
- min: 100
max: 199
info:
- min: 200
max: 299
- min: 300
max: 399
warn:
- min: 400
max: 499
error:
- min: 500
max: 599
# (Actually it can be even simpler but this is a special case where aliases represent predefined ranges)
# mapping:
# debug: 1xx
# info:
# - 2xx
# - 3xx
# warn: 4xx
# error: 5xxAdditionally, there is a substantial performance optimization which occurs with the stanza configuration. Specifically, we're able to put all values into a map at startup, so that every log records requires exactly one map lookup. I don't have strong opinions about exactly which form this should take in OTTL but I think it should be supported in some way that avoids such dense and wasteful statements. |
|
hi, i vote for this feature request, because in that case logs will contain SeverityText, there will be "err", "crit", but I would like to compare it with the more well-known "ERROR", "FATAL" etc. And only transformation can lead to the solution: |
|
@s71m if you are using udp receiver you can define your own severity mapping as part of |
@djaglowski thx for reply! I'm using both, syslog-ng on remote vps actually via tcp, but for severity need to define field "parse_from", and i cant figured it out, which field i need to pass. |
TylerHelmuth
changed the title
Component(s)
pkg/ottl
Is your feature request related to a problem? Please describe.
OTTL can directly set severity number and text, but it would be nice if there was an optimized function for interpreting values. Stanza currently has a dedicated severity interpreter which has a couple advantages over using OTTL:
Describe the solution you'd like
The primary challenge with OTTL is that its functional nature may not lend itself well to specifying mappings. I'm not sure if there is a way to do this today, but I'd like users to be able to specify a function that contains an arbitrary number of mapping options. e.g.
ParseSeverity(attributes["sev"], AsError("err", "error", "NOOO"), AsInfo("info", "hey"), AsInfoRange(1, 100), ...)Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: