search

y-scope / clp

Compressed Log Processor (CLP) is a free log management tool capable of compressing logs and searching the compressed logs without decompression.
https://yscope.com
Apache License 2.0
809 stars 69 forks source link

searching with clp-s for json log fields containing words with spaces is not working #284

Open bb-rajakarthik opened 7 months ago

bb-rajakarthik commented 7 months ago

Bug

I have compressed json logs using clp-s which look like the following: {"level": "INFO", "message": "Fetched Profile of user 1"} {"level": "INFO", "message": "Fetched Profile of user 2"} {"level": "INFO", "message": "Unable to fetch Profile of user 3"}

and when I want to search on the archive generated after compression, I'm using the following command: *clp-s s /archives/9aa85aaa-72f8-4b7f-9c24-baf015dd2566 "message: Fetched Profile"**

which is leading me to the following error: line 1:15 extraneous input 'Profile' expecting Parser Error 2024-02-14T07:42:49.121+00:00 [error] Query 'message: Fetch Profile' is logically false

Am I doing something wrong in writing the search query? Ideally, the above query should filter out the first 2 lines from the archive.

CLP version

7de16f91cef842c079ad2df627f31e2029b396be

Environment

ubuntu 22.04

Reproduction steps

create a file with the 3 logs mentioned above and run the following command to compress: clp-s c /tmp sample.log

Now run search on the archive generated from the above command: clp-s s /tmp/654f1911-fc44-4a39-9459-7577568a4d49/ "message: Fetched Profile*"

kirkrodrigues commented 7 months ago

Hey @bb-rajakarthik, thanks for the report. In our flavour of KQL, values with spaces need to be quoted (with ") otherwise the parser thinks Profile* is another term. Can you try this?

clp-s s /tmp/654f1911-fc44-4a39-9459-7577568a4d49/ 'message: "Fetched Profile*"'

We'll update the docs to clarify this.

Also, you can update to the latest version of clp-s since we've fixed some bugs. 🙂