Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
The set_fields_autotype function appears to be misinterpreting some numeric fields as malformed timestamps. I’m getting this error:
Error evaluating action for rule <Process JSON Logs With Field Protection/64341dac49eacf4e9355cf0b> (pipeline <FFT-WS Logs/6452d2848536a954831be07a>) - In call to function ‘set_fields_autotype’ at 15:4 an exception was thrown: For input string: “20200428838”
If I add a letter to the field (‘b20200428838’) or change it to be more like a more properly formatted date (‘20200428’) it doesn’t generate the error.
Rule Snippet:
let fields = flatten_json(to_string(save_message), "json");
set_fields_autotype(to_map(fields));
Sample log message:
{“AccountID”:“”,“ClientIPAddr”:“111.111.111.111”,“ContentType”:“application/json”,“Context”:{“documentId”:“20200428838”,“myStatus”:{“errorMessage”:“service is too busy to receive requests”,“statusCode”:3}}}
Graylog shows Context_documentId as a string field in the Graylog UI
2. Describe your environment:
-
OS Information: Ubuntu 20.04
-
Package Version: Graylog 5.14
-
Service logs, configurations, and environment variables:
We are using AWS OpenSearch 2.3 as the Elastic backend.
3. What steps have you already taken to try and solve the problem?
Narrowed it down to what appears to be a bug in set_fields_autotype
4. How can the community help?
Raise a bug report?
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]