Oracle Cloud Infrastructure Documentation

Troubleshoot Log Processing Pipeline

After your log data is ingested into Logging Analytics, the data processing begins asynchronously. During the data processing, if an error is encountered pertaining to parsing or interpreting the log data, then error message is displayed along with log data in the Log Explorer.

To detect the error and troubleshoot your log processing pipeline by identifying the type of error, use the Processing Errors metric. For steps to access the Processing Errors metric, see Monitor Logging Analytics Using Service Metrics.

When errors are detected, the Processing Errors metric displays a line for each collection type enabled in the tenancy or compartment. Hover the cursor on the data points on the chart to view more details about the error. Follow these steps to view the metrics by error type:

  1. Click the Options menu on the top right corner of the Processing Errors metric, and select View in Metric Explorer.

    The metric is now displayed in the Metrics Explorer. Here, you can view the chart in finer detail.

  2. Click Edit Queries and select Dimension Name as errorType and Dimension Value as the error type you noticed in the Log Explorer, for example, LogParserMismatch.

    Click Update Chart to refresh the chart visualization. The chart will now display the metrics for the errorType.

    You can switch to the Data Table view for a tabular representation of the collected error data points.

Following are the various types of errors reported through this metric for log processing:

Error Type Description Recommended Fix

LogParserMismatch

The parsers defined in the source do not match the log record. For example,

  • The regular expression does not match the log data.
  • The XPath expression does not exist in the log record json or XML.

Ensure that at least one matching parser exists to parse the data.

LogFieldParserMismatch

The parsers defined in the source do not match the field of the log record. For example, the regular expression does not match the field of the log data or the XPath expression does not exist in field of the log record json or XML.

  • The regular expression does not match the field of the log data.
  • The XPath expression does not exist in the field of the log record json or XML.

Ensure that at least one matching field parser exists to parse the data in the field.

LogParsingTookTooLong

One of the parsers defined in the source timed out because execution of the regular expression took more than 3 seconds. The regular expression may be complex or the log record is too long for the regular expression.

If this occurs thrice for a data bundle (a bundle is a zip file of some log records), the rest of the log records in the bundle are not parsed and are flagged with this parsing error type with the message exceeded max base parser regex timeout: 3.

Use faster regular expression(s) in the parser(s) of the source so that parsing does not time out. See Write Performant Regular Expressions.

LogFieldParsingTookTooLong

The parser defined for the field timed out because execution of the regular expression took more than 3 seconds. The regular expression may be complex or the log record is too long for the regular expression.

If this occurs thrice for a data bundle (a bundle is a zip file of some log records), the rest of the log records in the bundle are not parsed and are flagged with this parsing error type with the message Parsing failure: exceeded max field parser regex timeout: 3, parser: baseparser, level1fieldparser, level2fieldparser.

Use faster regular expression(s) in the field parser(s) of the source so that parsing does not time out. See Write Performant Regular Expressions.

LogParsingInvalidStructure

There is a mismatch between the data identified for collection and the parser definition.

For example,

  • The entry start expression does not have a match in the given JSON or XML file resulting in ZERO log entries collected
  • When the source has a Regex parser type but a JSON file is available for collection

If this occurs for a data bundle, the rest of the log records in the bundle are not parsed and are flagged with this parsing error type with the message: Parsing failure: exceeded max number of base parser invalid structured entries: 3.

Verify your parser definition and ensure that the incoming data conforms to the provided definition. Create a Parser

LogFieldParsingInvalidStructure

There is a mismatch between the data identified for collection and the field parser definition.

For example,

  • The entry start expression does not have a match in the given JSON or XML file resulting in ZERO log entries collected
  • When the source has a Regex parser type but a JSON file is available for collection

If this occurs thrice for a data bundle, the rest of the log records in the bundle are not parsed and are flagged with this parsing error type with the message: Parsing failure: exceeded max number of field parser invalid structured entries: 3, parser: baseparser, fieldparser.

Verify your field parser definition and ensure that the incoming data conforms to the provided definition. Create a Parser