Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Parse Severity

MetricsLogsTracesBindPlane Agent
--v1.36.0+

Description

The Parse Severity Processor is designed to normalize severity fields in log data into user-defined values, enhancing the consistency and readability of log data. By allowing users to map existing severity values to standard levels, it aids in the uniform analysis and visualization of logs across varied sources.

Use

The processor is essential in environments where logs from different sources use varied severity naming conventions. By mapping these diverse severity indicators to standard values, it ensures that the severity data remains consistent, making it easier to filter, analyze, and generate insights from the log data.

Configuration

FieldDescription
ConditionAn OTTL condition that must evaluate to true for the processor to be applied to the logs, allowing selective processing of entries.
MatchSpecifies the location of the severity value in the log entry: body, resource, or attributes.
Severity FieldThe specific field that contains the severity value to be parsed and normalized.
TraceA list of values that 'TRACE' severity should be mapped to.
DebugA list of values that 'DEBUG' severity should be mapped to.
InfoA list of values that 'INFO' severity should be mapped to.
WarnA list of values that 'WARN' severity should be mapped to.
ErrorA list of values that 'ERROR' severity should be mapped to.
FatalA list of values that 'FATAL' severity should be mapped to.

Example Configurations

Available Parsing Formats

In addition to simple string matching, this processor supports some unique value mapping options. For example, HTTP status code ranges can easily be assigned using notation such as 2xx, seen below. Available HTTP status code ranges include 1xx, 2xx, 3xx, 4xx, and 5xx.

observIQ docs - Parse Severity - HTTP Status Range

Another unique value mapping is a range of numbers, such as 8-12. This will map any number in that range, such as 9, to the log level this range is assigned to.

observIQ docs - Parse Severity - Number Range

Normalize Severity Levels in Log Data

In this example, the Parse Severity Processor is configured to normalize severity levels from the "level" field in the log body into user-defined standard levels.

observIQ docs - Parse Severity - image 1

Here is a sample log entry:

Body:

JSON
1{
2  "message": "An error occurred during processing",
3  "level": "err"
4}

The objective is to map the "err" severity level to a standard "error" level for consistency across all log entries. The configuration for the Parse Severity Processor is as follows:

  • Condition: "true" (applies to all logs)

  • Log Body, Resource, or Attributes: Body

  • Severity Field: level

  • Severity Mappings:

    JSON
    1{
    2  "err": "error",
    3  "warning": "warn",
    4  "information": "info",
    5  "debugging": "debug",
    6  "critical": "fatal"
    7}

With this setup, when the log entry is processed, the "severity" field is updated as follows:

Log After Processing:

JSON
1{
2  "severity": "error"
3}

The severity level "err" is now normalized to "error," allowing for a uniform representation of severity levels across all log entries. This normalization facilitates more straightforward log analysis, filtering, and alerting, especially when dealing with logs from multiple sources with different severity naming conventions.