Event analytics does not display nested json logfile

StefanS · August 13, 2022, 11:04am

Hi there,
Currently event analystic has a problem displaying / handling nested json logfile :

github.com/opensearch-project/observability

[BUG] Event analytics does not display nested json logfile

opened 07:34AM - 19 Jul 22 UTC

bug

**What is the bug?** nested json logfile `"log.attributes.priority": 30,` are n…ot displayed correctly. json in discover: ``` { "_index": "logs_logs", "_id": "ZVtIFYIB8GvAjIWF94J5", "_version": 1, "_score": null, "_source": { "traceId": "", "spanId": "", "flags": 0, "time": "2022-07-19T07:07:59.467977Z", "severityNumber": 9, "droppedAttributesCount": 0, "serviceName": null, "body": "<30>1 2022-07-19T09:07:59.467977+02:00 fwgate-1.test.local device_name=\"SFW\" - - - timestamp=\"2022-07-19T09:07:59+0200\" device_model=\"XG111\" device_serial_id=\"XXXXXXX\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=10 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.132\" dst_country=\"R1\" protocol=\"TCP\" src_port=49856 dst_port=10050 packets_sent=5 packets_received=5 bytes_sent=319 bytes_received=292 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"3294294976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"", "observedTime": "2022-07-19T07:07:59.479088669Z", "schemaUrl": "https://opentelemetry.io/schemas/1.6.1", "log.attributes.version": 1, "log.attributes.appname": "SFW", "log.attributes.priority": 30, "log.attributes.message": " timestamp=\"2022-07-19T09:07:59+0200\" device_model=\"X111\" device_serial_id=\"XXXXXXXX\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=10 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.132\" dst_country=\"R1\" protocol=\"TCP\" src_port=49856 dst_port=10050 packets_sent=5 packets_received=5 bytes_sent=319 bytes_received=292 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"3294294976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"", "log.attributes.facility": 3, "resource.attributes.host@name": "ingest01.test.local", "resource.attributes.os@type": "linux", "resource.attributes.host@id": "ingest01.test.local", "log.attributes.hostname": "fwgate-1.test.local" }, "fields": { "observedTime": [ "2022-07-19T07:07:59.479Z" ], "time": [ "2022-07-19T07:07:59.467Z" ] }, "sort": [ 1658214479467 ] } ``` ![discover](https://user-images.githubusercontent.com/6105075/179690901-9001a42d-6ff1-411f-9896-448aa5ea062b.png) json in Event analytics: ``` { "traceId": "", "log": "null", "resource": "null", "flags": 0, "severityNumber": 9, "body": "<30>1 2022-07-19T09:04:38.287882+02:00 fwgate-1.test.local device_name=\"SFW\" - - - timestamp=\"2022-07-19T09:04:38+0200\" device_model=\"XG111\" device_serial_id=\"xxxxxxxxx\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=11 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.165\" dst_country=\"R1\" protocol=\"TCP\" src_port=36642 dst_port=10050 packets_sent=6 packets_received=4 bytes_sent=340 bytes_received=193 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"1546955264\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"", "observedTime": "2022-07-19 07:04:38.289119295", "schemaUrl": "https://opentelemetry.io/schemas/1.6.1", "spanId": "", "droppedAttributesCount": 0, "time": "2022-07-19 07:04:38.287882" } ``` ![Event](https://user-images.githubusercontent.com/6105075/179691761-11e38be4-ba13-4de7-98f1-060c57da3036.png) **How can one reproduce the bug?** The problem always arises with `nested json`. **What is the expected behavior?** The same representation, respectively no problems with nested json, as in Discover With this bug, currently Event analytics is not usable. **What is your host/environment?** **Do you have any screenshots?** See above.

In many application areas you can therefore not use event analystic with nested json logfiles, which is a pity.
Is there a chance that this bug will be fixed in the next release ?

Thanks for the good work to opensearch.

Topic		Replies	Views
OpenSearch json logging Request For Comments discuss , configure	3	676	September 21, 2023
Logs doesn´t display in the dashboard DevOps	1	299	November 19, 2023
Feedback: Experimental Feature - Security Analytics General Feedback	10	701	January 3, 2023
Unified View of Logs in OpenSearch Dashboards: Is There a Way to Aggregate Documents? OpenSearch Dashboards	3	188	February 4, 2024
Can you view logs by clicking on a visualization? OpenSearch Dashboards troubleshoot	2	182	January 30, 2024

Event analytics does not display nested json logfile

Related Topics