Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare HTTP Event Log Source Schema is incorrect for BotTags #186

Open
deeso opened this issue Dec 9, 2023 · 1 comment
Open

Cloudflare HTTP Event Log Source Schema is incorrect for BotTags #186

deeso opened this issue Dec 9, 2023 · 1 comment

Comments

@deeso
Copy link

deeso commented Dec 9, 2023

There is a bug in the the cloudflare http event schema. The schema defines the cloudflare.http_event.bot.tag as a string here, but the actual value is an array of strings, see:

matano/data/managed/log_sources/cloudflare/tables/http_request.yml

Line 60 in b9975f5

- name: tag

When the VRL parses the log, the result is either null or an array of strings at this location:

matano/data/managed/log_sources/cloudflare/tables/http_request.yml

Line 457 in b9975f5

.cloudflare.http_request.bot.tag = del(.json.BotTags)

This causes any JSON log line containing a BotTags array to fail and be sidelined by the transform. The error creates the following error message in the CloudWatch logs for the Data Transformer lambda:

ERROR transformer: Line error: Line err: SchemaMismatchError, msg: Failed to resolve schema for due to schema mismatch for table cloudflare_http_request. (log source: tablename)

To fix this issue, this block snippet needs to be converted from:

         - name: bot
            type:
              type: struct
              fields:
              - name: score
                type:
                  type: struct
                  fields:
                  - name: src
                    type: string
                  - name: value
                    type: long
              - name: tag
                type: string

To:

         - name: bot
            type:
              type: struct
              fields:
              - name: score
                type:
                  type: struct
                  fields:
                  - name: src
                    type: string
                  - name: value
                    type: long
              - name: tag
                 type: list
                    element: string
@Samrose-Ahmed
Copy link
Contributor

That looks correct, happy to accept a PR.

If you wish to continue using the existing table, you will have to manually drop or rename the column from your table via Spark or API since it's a breaking schema change (if you're testing you can just recreate it).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deeso @Samrose-Ahmed