Set_fields_autotype throws exception on perceived date field

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
The set_fields_autotype function appears to be misinterpreting some numeric fields as malformed timestamps. I’m getting this error:

Error evaluating action for rule <Process JSON Logs With Field Protection/64341dac49eacf4e9355cf0b> (pipeline <FFT-WS Logs/6452d2848536a954831be07a>) - In call to function ‘set_fields_autotype’ at 15:4 an exception was thrown: For input string: “20200428838”

If I add a letter to the field (‘b20200428838’) or change it to be more like a more properly formatted date (‘20200428’) it doesn’t generate the error.

Rule Snippet:

let fields = flatten_json(to_string(save_message), "json");

Sample log message:

{“AccountID”:“”,“ClientIPAddr”:“”,“ContentType”:“application/json”,“Context”:{“documentId”:“20200428838”,“myStatus”:{“errorMessage”:“service is too busy to receive requests”,“statusCode”:3}}}

Graylog shows Context_documentId as a string field in the Graylog UI

2. Describe your environment:

  • OS Information: Ubuntu 20.04

  • Package Version: Graylog 5.14

  • Service logs, configurations, and environment variables:
    We are using AWS OpenSearch 2.3 as the Elastic backend.

3. What steps have you already taken to try and solve the problem?
Narrowed it down to what appears to be a bug in set_fields_autotype

4. How can the community help?
Raise a bug report?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.