Troubleshooting

Quick Diagnosis

# Check container status
docker ps | grep filter

# Check recent logs
docker logs filter-severity --tail 50 2>&1 | grep -i error

# Test filtering
curl -X POST http://localhost:8080/logs \
  -H "Content-Type: application/json" \
  -d '{"level": "ERROR", "message": "test error"}'

Common Issues

All logs being dropped

Cause: Filter condition too strict or field name mismatch

# Check what severity values are being received
docker logs filter-severity --tail 20 2>&1 | grep -E "(level|severity)"

Fix: Normalize severity field name and case:

- mapping: |
    root.severity = this.level.or(this.severity).or(this.log_level).uppercase()

Wrong logs going to alerting

Cause: Severity classification incorrect

Fix: Verify severity mapping:

- mapping: |
    root.priority = match this.severity {
      "CRITICAL" | "FATAL" | "EMERGENCY" => "high"
      "ERROR" | "ERR" => "medium"
      _ => "low"
    }

DEBUG logs not being dropped

Cause: Filter condition not matching

Fix: Use explicit drop:

- mapping: |
    if ["DEBUG", "TRACE"].contains(this.severity) {
      root = deleted()
    }

Performance issues at high volume

Cause: Too many regex operations

Fix: Use simple string matching:

# Instead of regex
- mapping: |
    root.is_error = this.severity.uppercase().or("").contains("ERR")

Still stuck?

Add debug logging: logger: {level: DEBUG}
Check the Complete Pipeline for reference config
Review Enrich & Export for output configuration

Quick Diagnosis​

Common Issues​

All logs being dropped​

Wrong logs going to alerting​

DEBUG logs not being dropped​

Performance issues at high volume​

Still stuck?​