When a parser fails to parse incoming input, LogScale automatically adds the following fields to the event:
@error_msg: contains the error message
You can search for these fields to determine what happened and update the parser accordingly. When you find an error, you can add the @rawstring of any events that fail to parse as a test case for your parser.
You can search for all events that were not parsed correctly by searching the repository:
You can extend the query in different ways. For example, you can display a timechart:
@error=* | timechart()
or group results by error message:
@error=* | groupBy(@error_msg)
The original log input is available in @rawstring.
There is no way for LogScale to re-parse data once it's stored, even if there is an error on the event. You'll have to resend the event through the ingest API.
Parsers can timeout due to issues with parsers, for example due to catastrophic back tracing in regexes or due to excessively expensive computation. We have set timeouts to ensure availability and resilience to Denial-of-Service attacks.