Telegraf Logparser - Response code: tag or field?

[mpchadwick]

Proposal:

Response Code should be tag in the logparser plugin

Current behavior:

It is a field

Desired behavior:

Is should be a tag

Use case: [Why is this important (helps with prioritizing requests)]

There are a limited number of variants for response code so it shouldn't increase series cardinality too much. It is very likely that you would want to use response code in a WHERE or GROUP BY query. This was initially proposed in the Google group and got a thumbs up from @beckettsean

[sparrc]

👍

[Mikanoshi]

And this totally disables queries like WHERE resp_code >= 400 :) But when adding resp_code as int it disables GROUP BY... So had to add the code twice, which means adding it to log twice! Casting values to integer in WHERE clause would be useful https://github.com/influxdata/influxdb/issues/5930

[sparrc]

oh, shoot, now I remember that is why I made it a field in the first place. I'll have to think if I want to change it back now

[jcmcken]

This change basically invalidates the discussion here, due to comparators not working with tags (as mentioned by @Mikanoshi)

[sparrc]

if you want it as a field, you can change this by using your own custom log format:

COMMON_LOG_FORMAT_FIELD_RC %{CLIENT:client_ip} %{NOTSPACE:ident} %{NOTSPACE:auth} \[%{HTTPDATE:ts:ts-httpd}\] "(?:%{WORD:verb:tag} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version:float})?|%{DATA})" %{NUMBER:resp_code:int} (?:%{NUMBER:resp_bytes:int}|-)

[danielnelson]

Closing, use sparrc's technique to move the item to a tag if desired.