Parser Errors

When a parser fails to parse incoming input, LogScale automatically adds the following fields to the event:

@error=true
@event_parsed=false
@error_msg: contains the error message

You can search for these fields to determine what happened and update the parser accordingly. When you find an error, you can add the @rawstring of any events that fail to parse as a test case for your parser.

Finding Errors

You can search for all events that were not parsed correctly by searching the repository:

logscale

@error=*

You can extend the query in different ways. For example, you can display a timechart:

logscale

@error=* | timechart()

or group results by error message:

logscale

@error=* | groupBy(@error_msg)

The original log input is available in @rawstring.

Note

There is no way for LogScale to re-parse data once it's stored, even if there is an error on the event. You'll have to resend the event through the ingest API.

Falcon LogScale Documentation

Introduction and Overview

Reference Information

Knowledge Base

LogScale Notices

Release Notes

LogScale Training

Parser Errors

Finding Errors

Note

Enter search term