Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Parse Timestamp in OTEL Collector Filelog Receiver #34390

Closed
vimalraj3 opened this issue Aug 2, 2024 · 8 comments
Closed

Unable to Parse Timestamp in OTEL Collector Filelog Receiver #34390

vimalraj3 opened this issue Aug 2, 2024 · 8 comments
Labels
bug Something isn't working receiver/filelog

Comments

@vimalraj3
Copy link

vimalraj3 commented Aug 2, 2024
edited
Loading

Description

I am experiencing an issue with the OTEL Collector configuration where the filelog receiver is unable to parse timestamps from the log files. Below are the relevant configurations and the error message encountered:

OpenTelemetry Collector configuration

receivers:
  filelog:
    include: [ /var/logs/*.log ]
    operators:
      - type: regex_parser
        regex: '^(?P<timestamp>\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}:\d{3}) \[(?P<thread>[^\]]+)\] (?P<sev>[A-Z]*) (?P<msg>.*)$'
        timestamp:
          parse_from: attributes.timestamp
          layout_typ: strptime
          layout: '%Y-%m-%d-%H-%M-%S:%L'
        severity:
          parse_from: attributes.sev

exporters:
  debug:
    verbosity: detailed 

service:
  pipelines:
    logs:
      receivers: [filelog] 
      exporters: [debug]

Input Logs

2024-07-31-11-11-20:295 [http-nio-8300-exec-5] DEBUG com.txnws_watchlist.TxnWsWatchlist.eventing.RabbitPublisher:46 - Exit in rabbitMqEventPublisher
2024-07-31-11-11-20:295 [http-nio-8300-exec-5] DEBUG com.txnws_watchlist.TxnWsWatchlist.eventing.RabbitPublisher:46 - Exit in rabbitMqEventPublisher
2024-07-31-11-11-20:295 [http-nio-8300-exec-5] DEBUG com.txnws_watchlist.TxnWsWatchlist.eventing.RabbitPublisher:46 - Exit in rabbitMqEventPublisher
2024-07-31-11-11-20:295 [http-nio-8300-exec-5] DEBUG com.txnws_watchlist.TxnWsWatchlist.eventing.RabbitPublisher:46 - Exit in rabbitMqEventPublisher

Steps to Reproduce:

  1. Configure the OTEL Collector with the above configuration.
  2. Include log files with timestamps in the format YYYY-MM-DD-HH-MM-SS:SSS.
  3. Run the collector and observe the error in the logs.

Expected Result

The timestamp in the logs should be parsed correctly using the specified regex pattern and layout format.

Actual Result

2024-08-02T11:56:06.423Z    error   helper/transformer.go:102       Failed to process entry {"kind": "receiver", "name": "filelog","data_type": "logs", "operator_id": "regex_parser", "operator_type": "regex_parser", "error": {"description": "time parser: parsing time \"2024-07-31-11-11-20:295\" as \"2006-01-02-15-04-05::999\": cannot parse \"295\" as \"::999\""}, "action": "send"}

Collector version

v0.104.0

Environment information

OS: Amazon Linux
@vimalraj3 vimalraj3 added bug Something isn't working needs triage New item requiring triage labels Aug 2, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 2, 2024

Pinging code owners for receiver/filelog: @djaglowski. See Adding Labels via Comments if you do not have permissions to add labels yourself.

@bacherfl
Copy link
Contributor

bacherfl commented Aug 5, 2024

Hi, I was looking into this out of curiosity and found that golang's time.Parse function seems to require a format where the milliseconds part of the timestamp is prefixed with either . or , - so apparently it is not possible to have a timestamp format where the milliseconds are prefixed with :, as indicated in this section of the time package: https://github.com/golang/go/blob/f428c7b729d3d9b37ed4dacddcd7ff88f4213f70/src/time/format.go#L316

Would it be an option to change the format of the time stamps in the logs to something like YYYY-MM-DD-HH-MM-SS.SSS?

@vimalraj3
Copy link
Author

Thank you.

@crobert-1
Copy link
Member

Hello @vimal-oneway, just want to check, have you been able to test to see if @bacherfl's suggestion works for you? If so, can we close this issue?

@github-actions github-actions bot mentioned this issue Aug 6, 2024
Closed
@vimalraj3
Copy link
Author

Hi @crobert-1 ,

By using OTTL functions, I was able to concatenate the time and milliseconds with a period, which allowed me to parse it into a timestamp. Here’s the code snippet I used:

 - set(attributes["timestamp_ms"], Concat([attributes["timestamp"], attributes["ms"]], "."))

This resolved the problem I was experiencing. Thank you for your support!
Yes we can close this issue.

@ChrsMark
Copy link
Member

ChrsMark commented Aug 6, 2024
edited
Loading

Based on #34390 (comment), should the layout: '%Y-%m-%d-%H-%M-%S:%L' be validated at first place on receiver's startup to explicitly indicate that it's not a valid layout?

@Frapschen Frapschen removed the needs triage New item requiring triage label Aug 6, 2024
@bacherfl
Copy link
Contributor

bacherfl commented Aug 7, 2024

Based on #34390 (comment), should the layout: '%Y-%m-%d-%H-%M-%S:%L' be validated at first place on receiver's startup to explicitly indicate that it's not a valid layout?

I can look into adding such a check

@bacherfl bacherfl mentioned this issue Aug 7, 2024
Merged
djaglowski pushed a commit that referenced this issue Aug 12, 2024
@bacherfl
[receiver/filelog] check for invalid strptime format (#34459)
d65e5c9 
**Description:** Check for unsupported fractional seconds directive when
converting strptime time layout to native format. This is done to
prevent parsing errors which occur due to a limitation of how timestamps
are being parsed in go - for more context see this comment in the
related issue:
#34390 (comment)

**Link to tracking Issue:** #34390

**Testing:** Added additional unit tests

**Documentation:** TODO, probably will require a note in
`regex_parser.md`

---------

Signed-off-by: Florian Bacher <florian.bacher@dynatrace.com>
@bacherfl bacherfl mentioned this issue Aug 19, 2024
Closed
6 tasks
@djaglowski
Copy link
Member

Closing this based on the behavior being native to golang's time package, and because we've now added validation to detect it in #34459.

f7o pushed a commit to f7o/opentelemetry-collector-contrib that referenced this issue Sep 12, 2024
@bacherfl @f7o
[receiver/filelog] check for invalid strptime format (open-telemetry#…
553ea26 
…34459)

**Description:** Check for unsupported fractional seconds directive when
converting strptime time layout to native format. This is done to
prevent parsing errors which occur due to a limitation of how timestamps
are being parsed in go - for more context see this comment in the
related issue:
open-telemetry#34390 (comment)

**Link to tracking Issue:** open-telemetry#34390

**Testing:** Added additional unit tests

**Documentation:** TODO, probably will require a note in
`regex_parser.md`

---------

Signed-off-by: Florian Bacher <florian.bacher@dynatrace.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working receiver/filelog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bacherfl @djaglowski @ChrsMark @Frapschen @vimalraj3 @crobert-1