Support for reading CloudWatch Logs JSON using json codec #5045

dlvenable · 2024-10-10T19:31:12Z

Is your feature request related to a problem? Please describe.

We want to be able to decode CloudWatch Logs subscription filters.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

{
    "owner": "111111111111",
    "logGroup": "CloudTrail/logs",
    "logStream": "111111111111_CloudTrail/logs_us-east-1",
    "subscriptionFilters": [
        "Destination"
    ],
    "messageType": "DATA_MESSAGE",
    "logEvents": [
        {
            "id": "31953106606966983378809025079804211143289615424298221568",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "31953106606966983378809025079804211143289615424298221569",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "31953106606966983378809025079804211143289615424298221570",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        }
    ]
}

There are a few things the existing json codec will have trouble with here.

It picks the first JSON array. In this case it will be subscriptionFilters rather than logEvents.
There is useful metadata that never appears in the generated events. For example, logStream.

Describe the solution you'd like

I'd like the existing json codec to support a few new features.

Allow the pipeline author to choose the key within the JSON to parse.

codec:
  json:
    key_name: logEvents

The key_name matches the json output codec's similar configuration.

data-prepper/data-prepper-plugins/parse-json-processor/src/main/java/org/opensearch/dataprepper/plugins/codec/json/JsonOutputCodecConfig.java

Lines 13 to 15 in 76d76fc

    
           @JsonProperty("key_name") 
        
           @Size(min = 1, max = 2048) 
        
           private String keyName = DEFAULT_KEY_NAME;

Allow selecting data from the root of the JSON to include in each object.

codec:
  json:
    include_keys: ['owner', logGroup', 'logStream' ]

This would output events like the following:

{
  "id": "31953106606966983378809025079804211143289615424298221568",
  "timestamp": 1432826855000,
  "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}",
  "owner": "111111111111",
  "logGroup": "CloudTrail/logs",
  "logStream": "111111111111_CloudTrail/logs_us-east-1",
}

Allow selecting data from the root of the JSON to include in the metadata for each object.

codec:
  json:
    include_keys_metadata: ['owner', logGroup', 'logStream' ]

The text was updated successfully, but these errors were encountered:

sb2k16 · 2024-10-10T19:34:40Z

I would like to work on this issue. Could you please assign this to me.

dlvenable added the untriaged label Oct 10, 2024

sb2k16 mentioned this issue Oct 11, 2024

Json codec changes with specific json input codec config #5054

Merged

2 tasks

kkondaka closed this as completed in #5054 Oct 15, 2024

dlvenable added enhancement New feature or request and removed untriaged labels Oct 15, 2024

dlvenable added this to the v2.10 milestone Oct 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support for reading CloudWatch Logs JSON using json codec #5045

Support for reading CloudWatch Logs JSON using json codec #5045

dlvenable commented Oct 10, 2024

sb2k16 commented Oct 10, 2024

Support for reading CloudWatch Logs JSON using json codec #5045

Support for reading CloudWatch Logs JSON using json codec #5045

Comments

dlvenable commented Oct 10, 2024

sb2k16 commented Oct 10, 2024