Map 'azure.activitylogs.Level' field to 'log.level' #13968
Conversation
🚀 Benchmarks reportTo see the full report comment with |
muthu-mps
added
bugfix
There was a problem hiding this comment.
We fixed the azure.activitylogs.level problem by deprecating and removing it from the document.
However, the current values for the log.level are mixed:
cat packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-*expected* | jq '.expected[].log.level'
"Information"
"4"
"4"
"4"
"Information"I believe we should add a mapping step to map the numeric value "4" to the equivalent textual value, so we can always have values like Critical, Error, Warning, Informational and Verbose.
Thanks @zmoog! I have mapped the string equivalent values for the severity levels in integer. |
|
💚 Build Succeeded
History
cc @muthu-mps |
| ## Convert the severity level integer values to corresponding string value to log the level in single unified format. | ||
| - set: | ||
| field: log.level | ||
| value: "Critical" | ||
| if: ctx.log?.level != null && ctx.log?.level == "1" | ||
| - set: | ||
| field: log.level | ||
| value: "Error" | ||
| if: ctx.log?.level != null && ctx.log?.level == "2" | ||
| - set: | ||
| field: log.level | ||
| value: "Warning" | ||
| if: ctx.log?.level != null && ctx.log?.level == "3" | ||
| - set: | ||
| field: log.level | ||
| value: "Informational" | ||
| if: ctx.log?.level != null && ctx.log?.level == "4" | ||
| - set: | ||
| field: log.level | ||
| value: "Verbose" | ||
| if: ctx.log?.level != null && ctx.log?.level == "5" |
There was a problem hiding this comment.
There is still a small inconsistency between the textual values and the mapped ones:
cat packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-*expected* | jq '.expected[].log.level'
"Information"
"Informational"
"Informational"
"Informational"
"Information"Where did you find the mapping between number > text values? I tried for some time but couldn't identify a source I would fully trust.
There was a problem hiding this comment.
Thanks for highlighting on the severity levels @zmoog!
- The severity level is listed here in the official document. We need to process for both Information and Informational.
- The text to number values is taken from syslog, log4j etc.. which users standard level to represent their priority or importance, where lower numbers signify higher severity. There is no document which specifies the severity levels mapped to the numbers in Azure.
There was a problem hiding this comment.
I was looking for a doc that explicitly states that 0: Level X, 1: Level Y, and so on. But I could not find one as well.
I see you added "Verbose", even if it's not included at https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-schema#severity-level
How confident are you we can apply syslog, log4j, etc logic to activity logs?
Since all *-raw.log file in the _dev/test/pipeline use "Information", why did you decided to pick "Informational" instead of "Information"? As a user, I'm confused by seeing both "Informational" and "Information" values emitted from the same piece of software, unless there's a clear difference between the two.
Looking through the codebase, I see the other log categories (functions and spring cloud logs) use "Informational" as value in a level field.
I am collecting activity logs for the upcoming EDOT Cloud Forwarder project, so I searched through the samples I have, and this is the result:
➜ cat samples/logs/ds/activity/Policy/eventhub.ndjson | jq '.records[].level' | sort | uniq -c
210 "Information"
84 "Warning"
➜ cat samples/logs/ds/activity/Recommendation/eventhub.ndjson | jq '.records[].level' | sort | uniq -c
2 "Informational"
➜ cat samples/logs/ds/activity/ResourceHealth/eventhub.ndjson | jq '.records[].level' | sort | uniq -c
5 "Informational"
➜ cat samples/logs/ds/activity/ServiceHealth/eventhub.ndjson | jq '.records[].level' | sort | uniq -c
1 "Informational"
➜ cat samples/logs/ds/activity/Administrative/eventhub.ndjson | jq '.records[].level' | sort | uniq -c
4 "Information"We get a different value depending on the log category 🤦
There was a problem hiding this comment.
For the "Informational" vs. "Information", the only things I can think of are:
- Update the docs saying that each service emits its own version of this severity level, suggesting users to add their own custom pipeline to adjust values.
- Add an optional setting to allow users to override this level with the value they prefer.
There was a problem hiding this comment.
"Informational" vs. "Information": it seems there's no way out, we need to decide which poison to pick.
Mapping number/text: I would love to find a official doc, or piece of code in a SDK, with a reliable mapping to double-check our assumptions.
| @@ -1,3 +1,8 @@ | |||
| - version: "1.23.4" | |||
| changes: | |||
| - description: Map `azure.activitylogs.Level` field to log.level. | |||
There was a problem hiding this comment.
| - description: Map `azure.activitylogs.Level` field to log.level. | |
| - description: Map `azure.activitylogs.Level` field to `log.level`. |
Proposed commit message
This issue fixes the mapping for
azure.activitylogs.Level. This value should be populated intolog.levelinstead it is currently pushed toazure.activitylogs.level.As Azure emits same logs in different field names for same log type we need to process the logs to appropriate field.
Marking the
azure.activitylogs.levelfield as deprecated.Checklist
changelog.ymlfile.Author's Checklist
Install the Azure activity logs integration and validate all the log levels are captured in log.level.
Related issues