Troubleshooting
Quick Diagnosis
# Check container status
docker ps | grep filter
# Check recent logs
docker logs filter-severity --tail 50 2>&1 | grep -i error
# Test filtering
curl -X POST http://localhost:8080/logs \
-H "Content-Type: application/json" \
-d '{"level": "ERROR", "message": "test error"}'
Common Issues
All logs being dropped
Cause: Filter condition too strict or field name mismatch
# Check what severity values are being received
docker logs filter-severity --tail 20 2>&1 | grep -E "(level|severity)"
Fix: Normalize severity field name and case:
- mapping: |
root.severity = this.level.or(this.severity).or(this.log_level).uppercase()
Wrong logs going to alerting
Cause: Severity classification incorrect
Fix: Verify severity mapping:
- mapping: |
root.priority = match this.severity {
"CRITICAL" | "FATAL" | "EMERGENCY" => "high"
"ERROR" | "ERR" => "medium"
_ => "low"
}
DEBUG logs not being dropped�
Cause: Filter condition not matching
Fix: Use explicit drop:
- mapping: |
if ["DEBUG", "TRACE"].contains(this.severity) {
root = deleted()
}
Performance issues at high volume
Cause: Too many regex operations
Fix: Use simple string matching:
# Instead of regex
- mapping: |
root.is_error = this.severity.uppercase().or("").contains("ERR")
Still stuck?
- Add debug logging:
logger: {level: DEBUG} - Check the Complete Pipeline for reference config
- Review Enrich & Export for output configuration