Provide opt-in flag to avoid fields name clash when log format is json #15969
Conversation
NotesAfter discussion with team, the proposal is to avoid adding an extra layer, which potentially could be a breaking change. |
andsel
changed the title
andsel
changed the title
There was a problem hiding this comment.
Some suggestions on naming
Plus, can we add the setting, and what it does to the logstash.yml and command-line docs pages?
Yes, that's a great idea. |
…field named 'logEventParams'
…documented in throubleshooting section
…plicate_message_fields
andsel
force-pushed
the
fix/json_logger_message_field_clash
branch
from
706dd26
to
da53b5c
Compare
Co-authored-by: Rob Bavey <[email protected]>
|
0.0% Duplication on New Code
| @@ -94,6 +96,16 @@ private void writeStructuredMessage(StructuredMessage message, JsonGenerator gen | |||
| } | |||
| } | |||
|
|
|||
| private static String renameParamNameIfClashingWithMessage(Map.Entry<Object, Object> entry) { | |||
There was a problem hiding this comment.
Although it's very unlikely to happen, wouldn't the static name message_1 be prone to value overrides in case some log, containing the message_1 key, is logged? for example: logger.info('this is test', :message => 'bar', :message_1' => 'foo') or logger.info('this is test', hash_with_messages_keys).
There was a problem hiding this comment.
logger.info('this is test', :message => 'bar', :message_1' => 'foo')
It's possibile but little bit unrealistic given that those logger invocations come from code the inside Logstash code base.
logger.info('this is test', hash_with_messages_keys)
This could be a problem, where hash_with_messages_keys id something like
{ "message": "blalba", "message_1": "blabla 1" }and it's out of code control.
In general, whatever policy we apply to avoid collision, for example move the duplicate field in some nested map, it is subject to this latest problem you are exposing, because maps can overlap on root names, but also on nested structures.
💚 Build Succeeded
History
cc @andsel |
|
@logstashmachine backport 8.14 |
#15969) Adds log.format.json.fix_duplicate_message_fields feature flag to rename the clashing fields when json logging format (log.format) is selected. In case two message fields clashes on structured log message, then the second is renamed attaching _1 suffix to the field name. By default the feature is disabled and requires user to explicitly enable the behaviour. Co-authored-by: Rob Bavey <[email protected]> (cherry picked from commit 830733d)
#15969) (#16094) Adds log.format.json.fix_duplicate_message_fields feature flag to rename the clashing fields when json logging format (log.format) is selected. In case two message fields clashes on structured log message, then the second is renamed attaching _1 suffix to the field name. By default the feature is disabled and requires user to explicitly enable the behaviour. Co-authored-by: Rob Bavey <[email protected]> (cherry picked from commit 830733d) Co-authored-by: Andrea Selva <[email protected]>
Release notes
Exposes
log.format.json.fix_duplicate_message_fieldsflag to avoid collision of field names in log lines whenlog.formatis JSON.What does this PR do?
Adds
log.format.json.fix_duplicate_message_fieldsfeature flag to rename the clashing fields when json logging format (log.format) is selected.In case two
messagefields clashes on structured log message, then the second is renamed attaching_1suffix to the field name.By default the feature is disabled and requires user to explicitly enable the behaviour.
The PR provides description of the flag only in the throuble shooting section, and not in general description of all the command line flags and settings (
logstash/docs/static/settings-file.asciidoc
Line 335 in 59bd376
In this way the flag can be deprecated or dropped more easily and the behaviour enabled by default.
Why is it important/What is the impact to the user?
A user that enables json log format for their Logstash's logs could stumble on a problem to have two
messagefields in the same json document. Despite this is a valid json, is not common practice and could lead to confusion: which is the effective log message body and which is the field?With this PR the user can choose to enable a stricter behaviour when encounter such problem.
Checklist
[ ] I have made corresponding change to the default configuration files (and/or docker env variables)Author's Checklist
How to test this PR locally
{"name": [}messageandmessage_1fields.{ "level":"WARN", "loggerName":"logstash.codecs.jsonlines", "timeMillis":1710838609569, "thread":"[main]<stdin", "logEvent":{ "message":"JSON parse error, original data now in message field", "message_1":"Unexpected close marker '}': expected ']' (for Array starting at [Source: (String)\"{\"name\": [}\"; line: 1, column: 10])\n at [Source: (String)\"{\"name\": [}\"; line: 1, column: 12]", "exception":"LogStash::Json::ParserError", "data":"{\"name\": [}" } }Related issues
messagefields #14335Use cases
Screenshots
Logs