How to ingest gzip log files and use remap to parse it in json format?

[syzcch]

I want to use Vector to ingest some gzip files then use remap to parse them. We put some log files with json format into a gzip file to do the test.

Here is my config:

data_dir = "/home/elk/log/"
[sources.gz_logs]
type = "file"
include = [ "/home/elk/log/*.gz" ]

[transforms.parse_logs]
type = "remap"
inputs = ["gz_logs"]
source = '''
. = parse_json!(.message)
'''

[sinks.print]
type = "console"
inputs = ["parse_logs"]
encoding.codec = "json"

Finally, I got error messages:

2022-04-24T11:08:10.581077Z ERROR transform{component_kind="transform" component_id=parse_logs component_type=remap component_name=parse_logs}: vector::internal_events::remap: Mapping failed with event. error="function call error for \"parse_json\" at (4:25): unable to parse json: expected ident at line 1 column 2" error_type="conversion_failed" stage="processing" internal_log_rate_secs=10
2022-04-24T11:08:10.582872Z ERROR transform{component_kind="transform" component_id=parse_logs component_type=remap component_name=parse_logs}: vector::internal_events::remap: Internal log [Mapping failed with event.] is being rate limited.

{"file":"/home/elk/log/test-requests.log.tar.gz",""message":"test-requests.log.3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000000644\u0000�\u0000\u0000\u0000\u0001Jh*0000144\u000000000137445\u000014214062002\u0000014131\u0000 ......

Could you help me to solve it please? Thank you so much for your help.

[jszwedko]

Hi @syzcch !

Looking at your error messages there, it seems like you might have compressed tar archives? Vector won't read those correctly, only individual compressed files.

To verify Vector's behavior of reading individual files, I tested with:

flog -f json > /tmp/logs.json

(flog is a log generator: https://github.com/seattlerb/flog)

gzip /tmp/logs.json

Running Vector with the below configuration:

data_dir = "/tmp/vector"

[sources.gz_logs]
type = "file"
include = [ "/tmp/log.json.gz" ]

[transforms.parse_logs]
type = "remap"
inputs = ["gz_logs"]
source = '''
. = parse_json!(.message)
'''

[sinks.print]
type = "console"
inputs = ["parse_logs"]
encoding.codec = "json"

And Vector was able to correctly read and parse the lines:

2022-04-25T14:15:39.971147Z  INFO vector::app: Log level is enabled. level="vector=info,codec=info,vrl=info,file_source=info,tower_limit=trace,rdkafka=info,buffers=info,kube=info"
2022-04-25T14:15:39.971200Z  INFO vector::app: Loading configs. paths=["/tmp/tmp.toml"]
2022-04-25T14:15:39.972183Z  INFO vector::topology::running: Running healthchecks.
2022-04-25T14:15:39.972230Z  INFO vector::topology::builder: Healthcheck: Passed.
2022-04-25T14:15:39.972251Z  INFO vector: Vector has started. debug="false" version="0.21.0" arch="aarch64" build_id="none"
2022-04-25T14:15:39.972276Z  INFO vector::app: API is disabled, enable by setting `api.enabled` to `true` and use commands like `vector top`.
2022-04-25T14:15:39.972318Z  INFO source{component_kind="source" component_id=gz_logs component_type=file component_name=gz_logs}: vector::sources::file: Starting file server. include=["/tmp/log.json.gz"] exclude=[]
2022-04-25T14:15:39.972483Z  INFO source{component_kind="source" component_id=gz_logs component_type=file component_name=gz_logs}:file_server: file_source::checkpointer: Attempting to read legacy checkpoint files.
2022-04-25T14:15:39.995249Z  INFO source{component_kind="source" component_id=gz_logs component_type=file component_name=gz_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/tmp/log.json.gz
{"bytes":2364,"datetime":"25/Apr/2022:07:12:19 -0700","host":"206.106.41.124","method":"PATCH","protocol":"HTTP/1.0","referer":"https://www.corporatesynergistic.info/front-end/strategic/web-enabled","request":"/clicks-and-mortar/mesh/eyeballs/roi","status":504,"user-identifier":"-"}
{"bytes":7638,"datetime":"25/Apr/2022:07:12:19 -0700","host":"107.161.55.61","method":"HEAD","protocol":"HTTP/1.0","referer":"https://www.districtsticky.org/holistic/channels","request":"/expedite","status":501,"user-identifier":"watsica3103"}
{"bytes":2115,"datetime":"25/Apr/2022:07:12:19 -0700","host":"229.40.31.20","method":"PUT","protocol":"HTTP/1.1","referer":"http://www.forwardbandwidth.org/transition","request":"/rich/synergize/impactful/strategic","status":203,"user-identifier":"-"}
{"bytes":28334,"datetime":"25/Apr/2022:07:12:19 -0700","host":"21.162.181.77","method":"POST","protocol":"HTTP/2.0","referer":"http://www.dynamicpartnerships.name/maximize/deploy/rich","request":"/architect/killer/front-end","status":404,"user-identifier":"graham5508"}
{"bytes":7244,"datetime":"25/Apr/2022:07:12:19 -0700","host":"158.72.200.28","method":"PUT","protocol":"HTTP/2.0","referer":"https://www.humanniches.biz/mission-critical/monetize/envisioneer/rich","request":"/vortals","status":400,"user-identifier":"doyle7264"}
{"bytes":15028,"datetime":"25/Apr/2022:07:12:19 -0700","host":"24.195.212.100","method":"DELETE","protocol":"HTTP/1.0","referer":"http://www.centralrevolutionary.com/disintermediate","request":"/scale/impactful/customized/iterate","status":401,"user-identifier":"-"}
{"bytes":6336,"datetime":"25/Apr/2022:07:12:19 -0700","host":"107.133.250.43","method":"GET","protocol":"HTTP/1.0","referer":"http://www.chiefdisintermediate.biz/extensible/redefine/e-markets/e-enable","request":"/cross-platform/e-services/content","status":404,"user-identifier":"-"}
{"bytes":3446,"datetime":"25/Apr/2022:07:12:19 -0700","host":"157.34.215.76","method":"PUT","protocol":"HTTP/1.1","referer":"https://www.chiefmethodologies.biz/content/bricks-and-clicks/innovative","request":"/productize/ubiquitous/real-time","status":304,"user-identifier":"rath1575"}
{"bytes":26331,"datetime":"25/Apr/2022:07:12:19 -0700","host":"163.58.201.221","method":"POST","protocol":"HTTP/1.0","referer":"http://www.directplug-and-play.org/virtual/paradigms/networks","request":"/plug-and-play/e-services","status":501,"user-identifier":"reilly8887"}
{"bytes":5067,"datetime":"25/Apr/2022:07:12:19 -0700","host":"79.81.12.147","method":"HEAD","protocol":"HTTP/1.1","referer":"https://www.legacyarchitectures.info/rich/mesh/compelling/infrastructures","request":"/e-tailers/real-time/24%2f7/impactful","status":201,"user-identifier":"mante8340"}
{"bytes":26059,"datetime":"25/Apr/2022:07:12:19 -0700","host":"86.135.244.116","method":"PATCH","protocol":"HTTP/1.0","referer":"https://www.centralrepurpose.net/cultivate/utilize/web services","request":"/collaborative/back-end/repurpose/mindshare","status":501,"user-identifier":"conn7478"}
{"bytes":8828,"datetime":"25/Apr/2022:07:12:19 -0700","host":"212.190.65.22","method":"GET","protocol":"HTTP/2.0","referer":"http://www.forwardrecontextualize.io/platforms","request":"/wireless/bricks-and-clicks/initiatives","status":200,"user-identifier":"lesch8267"}
{"bytes":15821,"datetime":"25/Apr/2022:07:12:19 -0700","host":"10.135.48.215","method":"HEAD","protocol":"HTTP/2.0","referer":"http://www.customerscalable.net/iterate/content/markets/solutions","request":"/next-generation/reintermediate","status":403,"user-identifier":"-"}
{"bytes":12196,"datetime":"25/Apr/2022:07:12:19 -0700","host":"188.119.82.199","method":"DELETE","protocol":"HTTP/1.1","referer":"http://www.nationaldrive.org/orchestrate","request":"/seamless/content/next-generation","status":302,"user-identifier":"russel3883"}
{"bytes":19598,"datetime":"25/Apr/2022:07:12:19 -0700","host":"12.236.74.232","method":"DELETE","protocol":"HTTP/2.0","referer":"https://www.districtredefine.io/global/systems","request":"/unleash","status":100,"user-identifier":"streich3222"}
{"bytes":27250,"datetime":"25/Apr/2022:07:12:19 -0700","host":"197.228.178.174","method":"GET","protocol":"HTTP/1.0","referer":"http://www.customersynergies.name/brand/portals/engineer/deliver","request":"/out-of-the-box/implement","status":205,"user-identifier":"casper7642"}
{"bytes":18239,"datetime":"25/Apr/2022:07:12:19 -0700","host":"117.216.161.177","method":"PATCH","protocol":"HTTP/1.1","referer":"https://www.principal24/7.biz/efficient","request":"/recontextualize/dot-com/repurpose","status":403,"user-identifier":"-"}
{"bytes":13487,"datetime":"25/Apr/2022:07:12:19 -0700","host":"199.157.197.87","method":"DELETE","protocol":"HTTP/2.0","referer":"http://www.chiefleverage.net/sexy","request":"/web+services/customized","status":406,"user-identifier":"-"}
{"bytes":24609,"datetime":"25/Apr/2022:07:12:19 -0700","host":"246.17.127.91","method":"HEAD","protocol":"HTTP/1.1","referer":"http://www.centraluser-centric.io/front-end","request":"/synergies/benchmark","status":503,"user-identifier":"-"}
{"bytes":13939,"datetime":"25/Apr/2022:07:12:19 -0700","host":"9.49.188.107","method":"GET","protocol":"HTTP/1.0","referer":"https://www.futureout-of-the-box.io/architect/robust/web services/users","request":"/e-markets","status":203,"user-identifier":"parisian8304"}

[JeanMertz]

I added this example to our list of real-world use-cases for iteration in VRL, see: #12455

The final code that (once iteration lands in the next release) solves this issue is written as such:

.input = map_values(array!(.input)) -> |input| {
  # `input` is an object inside the top-level `.input` array.

  input.items = map_values(array!(input.items)) -> |item| {
    # `item` is an object inside the `.input.items array.

    # "userAttributes": [
    #   {
    #     "__type": "String",
    #     "value": "Peter",
    #     "key": "Name"
    #   },
    #   {
    #     "__type": "String",
    #     "values": [
    #       {
    #         "city": "Tokyo",
    #         "country": "Japan"
    #       }
    #     ],
    #     "key": "Address"
    #   }
    # ],
    item.userAttributes = map_values(array!(item.userAttributes)) -> |attribute| {
      if attribute.key == "Name" {
        del(attribute.__type)

        key = del(attribute.key)
        value = del(attribute.value)

        attribute = set!(attribute, [key], value)
      } else if attribute.key == "Address" {
        attribute.values = map_values(array!(attribute.values)) -> |address| {
          del(address.city)
          address
        }
      }


      attribute
    }

    # "userId": [
    #   {
    #     "uId": "0000001",
    #     "userGroupId": 0
    #   }
    # ]
    item.userId = map_values(array!(item.userId)) -> |id| {
      del(id.userGroupId)

      id
    }

    item
  }

  input
}

[syzcch]

Hi @jszwedko and @JeanMertz,

Thank you so much for your great help. I am waiting for the Vector 0.22 and then I will do the refactor to migrate log pipeline from Filebeat->Logstash->ES to Vector->ES. Really appreciate your help.

[syzcch]

Hi @jszwedko,

I saw that we published the latest version 0.22.2 and that's really an exciting news. So what about the iteration function in VRL? Already in this release or in next one? Thank you so much.

[spencergilbert]

Yes, you can see a post regarding the newly added functions here: https://vector.dev/highlights/2022-05-18-vrl-iteration-support/

They are also documented at https://vrl.dev/functions

[syzcch]

That's really a good news. Thank you team.