Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename key with vrl #22523

Open
nitzan-tz opened this issue Feb 26, 2025 · 2 comments
Open

Rename key with vrl #22523

nitzan-tz opened this issue Feb 26, 2025 · 2 comments
Labels
type: bug A code related bug.

Comments

@nitzan-tz
Copy link

A note for the community

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

I have Juniper-structured syslog messages in the following format:

"message": "<28>1 2025-02-25T19:46:40.887Z mx204-lab R6_RR_MPLS_LAB:rpd 23152 RPD_BGP_NEIGHBOR_STATE_CHANGED [[email protected] peer-name=\"10.11.11.68 (Internal AS 65545)\" old-state=\"OpenConfirm\" new-state=\"Established\" event-type=\"RecvKeepAlive\" instance=\"master\"] BGP peer 10.11.11.68 (Internal AS 65555) changed state from OpenConfirm to Established (event RecvKeepAlive) (instance master)"
Vector correctly parses the log using parse_syslog. However, I want to rename the key "[email protected]" to "junos_event_tags" using the following transformation:

.junos_event_tags = del(."[email protected]") # Rename
This works as expected in the Vector Playground, but when applied inside Vector, the transformation does not take effect. As a result, OpenSearch still receives the original key name, such as "[email protected]".

This is the VRL code
.message = string!(.message) if (match(.message, r'.*[email protected]')) { . |= parse_syslog!(.message) .junos_event_tags = del(."[email protected]") # rename }

Below is the output from the Playground:

{ "appname": "R6_RR_MPLS_LAB:rpd", "facility": "daemon", "hostname": "mx204-lab", "[email protected]": { "event-type": "RecvKeepAlive", "instance": "master", "new-state": "Established", "old-state": "OpenConfirm", "peer-name": "10.11.11.68 (Internal AS 65545)" }, "message": "BGP peer 10.11.11.68 (Internal AS 65555) changed state from OpenConfirm to Established (event RecvKeepAlive) (instance master)", "msgid": "RPD_BGP_NEIGHBOR_STATE_CHANGED", "procid": 23152, "severity": "warning", "timestamp": "2025-02-25T19:46:40.887Z", "version": 1 }

Configuration

sources:
  system_logs:
    type: file
    include:
      - /var/log/**/*.log
    exclude:
      - /var/log/aide/*.log
      - /var/log/anaconda/*.log
    ignore_older_secs: 3600

  junos_syslog:
    type: syslog
    address: 0.0.0.0:5514
    max_length: 102400
    mode: udp
    permit_origin:
      - 10.113.0.0/24
  journald_logs:
    type: journald

transforms:
  rename_fields:
    type: remap
    inputs: ["system_logs", "journald_logs"]
    source: |
      . = map_keys(., recursive: true) -> |key|  { replace(key, r'^_', "") }
  junos_structured_logs:
    type: remap
    inputs: ["junos_syslog"]
    source: |-
      .message = string!(.message)
      if (match(.message, r'.*[email protected]')) { 
        . |= parse_syslog!(.message)
        .junos_event_tags = del(."[email protected]") # rename
      }



sinks:
  opensearch_linux:
    type: elasticsearch
    api_version: v8
    mode: data_stream
    data_stream:
      dataset: linux
    inputs:
       - rename_fields
    endpoint: https://10.98.0.211:9200
    auth:
      strategy: basic
      user: user
      password: pass
    tls:
      verify_certificate: false
      verify_hostname: false
    bulk:
      action: create

  opensearch_junos:
    type: elasticsearch
    api_version: v8
    mode: data_stream
    data_stream:
      dataset: junos
    inputs:
       - junos_structured_logs
    endpoint: https://10.98.0.211:9200
    auth:
      strategy: basic
      user: user
      password: pass
    tls:
      verify_certificate: false
      verify_hostname: false
    bulk:
      action: create

Version

vector 0.44.0 (x86_64-unknown-linux-gnu 3cdc7c3 2025-01-13 21:26:04.735691656)

Debug Output

[root@jump01-medpt ~]# RUST_BACKTRACE=full vector -vvv
2025-02-26T14:18:59.573315Z DEBUG vector::app: Internal log rate limit configured. internal_log_rate_secs=10
2025-02-26T14:18:59.573384Z  INFO vector::app: Log level is enabled. level="trace"
2025-02-26T14:18:59.573472Z DEBUG vector::app: messaged="Building runtime." worker_threads=2
2025-02-26T14:18:59.573608Z TRACE mio::poll: registering event source with poller: token=Token(1), interests=READABLE    
2025-02-26T14:18:59.574169Z  INFO vector::app: Loading configs. paths=["/etc/vector/vector.yaml"]
2025-02-26T14:18:59.576095Z DEBUG vector::config::loading: No secret placeholder found, skipping secret resolution.
2025-02-26T14:18:59.579627Z DEBUG vector::topology::builder: Building new source. component=journald_logs
2025-02-26T14:18:59.579905Z DEBUG vector::topology::builder: Building new source. component=junos_syslog
2025-02-26T14:18:59.580009Z DEBUG vector::topology::builder: Building new source. component=system_logs
2025-02-26T14:18:59.580144Z DEBUG vector::topology::builder: Building new transform. component=junos_structured_logs
2025-02-26T14:18:59.581891Z DEBUG vector::topology::builder: Building new transform. component=rename_fields
2025-02-26T14:18:59.582445Z DEBUG vector::topology::builder: Building new sink. component=opensearch_junos
2025-02-26T14:18:59.582690Z  WARN sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector::sinks::elasticsearch::common: DEPRECATION, use of deprecated option `endpoint`. Please use `endpoints` option instead.
2025-02-26T14:18:59.582801Z  WARN sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector_core::tls::settings: The `verify_certificate` option is DISABLED, this may lead to security vulnerabilities.
2025-02-26T14:18:59.582837Z  WARN sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector_core::tls::settings: The `verify_hostname` option is DISABLED, this may lead to security vulnerabilities.
2025-02-26T14:18:59.597254Z DEBUG sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector_core::tls::settings: Fetching system root certs.
2025-02-26T14:18:59.609228Z DEBUG sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector_core::tls::settings: Fetching system root certs.
2025-02-26T14:18:59.623195Z DEBUG vector::topology::builder: Building new sink. component=opensearch_linux
2025-02-26T14:18:59.623429Z TRACE tower::buffer::worker: worker polling for next message
2025-02-26T14:18:59.623434Z  WARN sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector::sinks::elasticsearch::common: DEPRECATION, use of deprecated option `endpoint`. Please use `endpoints` option instead.
2025-02-26T14:18:59.623687Z  WARN sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector_core::tls::settings: The `verify_certificate` option is DISABLED, this may lead to security vulnerabilities.
2025-02-26T14:18:59.623712Z  WARN sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector_core::tls::settings: The `verify_hostname` option is DISABLED, this may lead to security vulnerabilities.
2025-02-26T14:18:59.633773Z DEBUG sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector_core::tls::settings: Fetching system root certs.
2025-02-26T14:18:59.644142Z DEBUG sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector_core::tls::settings: Fetching system root certs.
2025-02-26T14:18:59.655617Z TRACE tower::buffer::worker: worker polling for next message
2025-02-26T14:18:59.656921Z  INFO vector::topology::running: Running healthchecks.
2025-02-26T14:18:59.656964Z DEBUG vector::topology::running: Connecting changed/added component(s).
2025-02-26T14:18:59.656987Z DEBUG vector::topology::running: Configuring outputs for source. component=junos_syslog
2025-02-26T14:18:59.657016Z DEBUG vector::topology::running: Configuring output for component. component=junos_syslog output_id=None
2025-02-26T14:18:59.657032Z DEBUG vector::topology::running: Configuring outputs for source. component=system_logs
2025-02-26T14:18:59.657046Z DEBUG vector::topology::running: Configuring output for component. component=system_logs output_id=None
2025-02-26T14:18:59.657060Z DEBUG vector::topology::running: Configuring outputs for source. component=journald_logs
2025-02-26T14:18:59.657073Z DEBUG vector::topology::running: Configuring output for component. component=journald_logs output_id=None
2025-02-26T14:18:59.657087Z DEBUG vector::topology::running: Configuring outputs for transform. component=junos_structured_logs
2025-02-26T14:18:59.657100Z DEBUG vector::topology::running: Configuring output for component. component=junos_structured_logs output_id=None
2025-02-26T14:18:59.657113Z DEBUG vector::topology::running: Configuring outputs for transform. component=rename_fields
2025-02-26T14:18:59.657135Z DEBUG vector::topology::running: Configuring output for component. component=rename_fields output_id=None
2025-02-26T14:18:59.657153Z DEBUG vector::topology::running: Connecting inputs for transform. component=junos_structured_logs
2025-02-26T14:18:59.657172Z DEBUG vector::topology::running: Adding component input to fanout. component=junos_structured_logs fanout_id=junos_syslog
2025-02-26T14:18:59.657194Z DEBUG vector::topology::running: Connecting inputs for transform. component=rename_fields
2025-02-26T14:18:59.657210Z DEBUG vector::topology::running: Adding component input to fanout. component=rename_fields fanout_id=system_logs
2025-02-26T14:18:59.657229Z DEBUG vector::topology::running: Adding component input to fanout. component=rename_fields fanout_id=journald_logs
2025-02-26T14:18:59.657244Z DEBUG vector::topology::running: Connecting inputs for sink. component=opensearch_linux
2025-02-26T14:18:59.657259Z DEBUG vector::topology::running: Adding component input to fanout. component=opensearch_linux fanout_id=rename_fields
2025-02-26T14:18:59.657287Z DEBUG vector::topology::running: Connecting inputs for sink. component=opensearch_junos
2025-02-26T14:18:59.657305Z DEBUG vector::topology::running: Adding component input to fanout. component=opensearch_junos fanout_id=junos_structured_logs
2025-02-26T14:18:59.657333Z DEBUG vector::topology::running: Spawning new source. key=junos_syslog
2025-02-26T14:18:59.657371Z DEBUG vector::topology::running: Spawning new source. key=system_logs
2025-02-26T14:18:59.657396Z DEBUG vector::topology::running: Spawning new source. key=journald_logs
2025-02-26T14:18:59.657420Z DEBUG vector::topology::running: Spawning new transform. key=junos_structured_logs
2025-02-26T14:18:59.657443Z DEBUG vector::topology::running: Spawning new transform. key=rename_fields
2025-02-26T14:18:59.657467Z TRACE vector::topology::running: Spawning new sink. key=opensearch_linux
2025-02-26T14:18:59.657490Z TRACE vector::topology::running: Spawning new sink. key=opensearch_junos
2025-02-26T14:18:59.657571Z  INFO vector: Vector has started. debug="false" version="0.44.0" arch="x86_64" revision="3cdc7c3 2025-01-13 21:26:04.735691656"
2025-02-26T14:18:59.657596Z  INFO vector::app: API is disabled, enable by setting `api.enabled` to `true` and use commands like `vector top`.
2025-02-26T14:18:59.657690Z DEBUG source{component_kind="source" component_id=journald_logs component_type=journald}: vector::topology::builder: Source starting.
2025-02-26T14:18:59.658023Z DEBUG transform{component_kind="transform" component_id=junos_structured_logs component_type=remap}: vector::topology::builder: Synchronous transform starting.
2025-02-26T14:18:59.658223Z DEBUG transform{component_kind="transform" component_id=rename_fields component_type=remap}: vector::topology::builder: Synchronous transform starting.
2025-02-26T14:18:59.658436Z DEBUG sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector::topology::builder: Sink starting.
2025-02-26T14:18:59.658773Z DEBUG sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector::topology::builder: Sink starting.
2025-02-26T14:18:59.658944Z DEBUG source{component_kind="source" component_id=system_logs component_type=file}: vector::topology::builder: Source pump supervisor starting.
2025-02-26T14:18:59.659069Z DEBUG source{component_kind="source" component_id=system_logs component_type=file}: vector::topology::builder: Source pump starting.
2025-02-26T14:18:59.659241Z DEBUG source{component_kind="source" component_id=junos_syslog component_type=syslog}: vector::topology::builder: Source pump supervisor starting.
2025-02-26T14:18:59.659378Z DEBUG source{component_kind="source" component_id=junos_syslog component_type=syslog}: vector::topology::builder: Source pump starting.
2025-02-26T14:18:59.659492Z DEBUG source{component_kind="source" component_id=junos_syslog component_type=syslog}: vector::topology::builder: Source starting.
2025-02-26T14:18:59.659735Z DEBUG http: vector::internal_events::http_client: Sending HTTP request. uri=https://10.24.99.73:9200/_cluster/health method=GET version=HTTP/1.1 headers={"authorization": Sensitive, "user-agent": "Vector/0.44.0 (x86_64-unknown-linux-gnu 3cdc7c3 2025-01-13 21:26:04.735691656)", "accept-encoding": "identity"} body=[empty]
2025-02-26T14:18:59.659798Z TRACE http: hyper::client::pool: checkout waiting for idle connection: ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.659876Z TRACE http: hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("10.24.99.73"), port=Some(Port(9200))
2025-02-26T14:18:59.659933Z DEBUG http: hyper::client::connect::http: connecting to 10.24.99.73:9200
2025-02-26T14:18:59.660388Z TRACE source{component_kind="source" component_id=junos_syslog component_type=syslog}: mio::poll: registering event source with poller: token=Token(139816034894720), interests=READABLE | WRITABLE    
2025-02-26T14:18:59.660447Z TRACE http: mio::poll: registering event source with poller: token=Token(139816037188480), interests=READABLE | WRITABLE    
2025-02-26T14:18:59.660644Z DEBUG http: vector::internal_events::http_client: Sending HTTP request. uri=https://10.24.99.73:9200/_cluster/health method=GET version=HTTP/1.1 headers={"authorization": Sensitive, "user-agent": "Vector/0.44.0 (x86_64-unknown-linux-gnu 3cdc7c3 2025-01-13 21:26:04.735691656)", "accept-encoding": "identity"} body=[empty]
2025-02-26T14:18:59.660677Z TRACE http: hyper::client::pool: checkout waiting for idle connection: ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.660695Z TRACE http: hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("10.24.99.73"), port=Some(Port(9200))
2025-02-26T14:18:59.660709Z DEBUG http: hyper::client::connect::http: connecting to 10.24.99.73:9200
2025-02-26T14:18:59.660768Z TRACE http: mio::poll: registering event source with poller: token=Token(139816037188736), interests=READABLE | WRITABLE    
2025-02-26T14:18:59.660793Z DEBUG source{component_kind="source" component_id=system_logs component_type=file}: vector::topology::builder: Source starting.
2025-02-26T14:18:59.660900Z  INFO source{component_kind="source" component_id=system_logs component_type=file}: vector::sources::file: Starting file server. include=["/var/log/**/*.log"] exclude=[]
2025-02-26T14:18:59.661126Z  INFO source{component_kind="source" component_id=junos_syslog component_type=syslog}: vector::sources::syslog: Listening. addr=0.0.0.0:1514 type="udp"
2025-02-26T14:18:59.661421Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: file_source::checkpointer: Loaded checkpoint data.
2025-02-26T14:18:59.661964Z TRACE vector: Beep.
2025-02-26T14:18:59.662178Z DEBUG http: hyper::client::connect::http: connected to 10.24.99.73:9200
2025-02-26T14:18:59.663257Z  WARN source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/aide/aide.log
2025-02-26T14:18:59.663506Z  WARN source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/anaconda/ks-script-vpjngal7.log
2025-02-26T14:18:59.663919Z DEBUG http: hyper::client::connect::http: connected to 10.24.99.73:9200
2025-02-26T14:18:59.664310Z DEBUG sink{component_kind="sink" component_id=opensearch_linux component_type=elasticsearch}: vector::utilization: utilization=0.035047293485749975
2025-02-26T14:18:59.664523Z DEBUG sink{component_kind="sink" component_id=opensearch_junos component_type=elasticsearch}: vector::utilization: utilization=0.003191231674675943
2025-02-26T14:18:59.665022Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/anaconda.log
2025-02-26T14:18:59.661297Z DEBUG source{component_kind="source" component_id=journald_logs component_type=journald}: vector::topology::builder: Source pump supervisor starting.
2025-02-26T14:18:59.665080Z DEBUG source{component_kind="source" component_id=journald_logs component_type=journald}: vector::topology::builder: Source pump starting.
2025-02-26T14:18:59.665768Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/X.log
2025-02-26T14:18:59.666278Z  INFO source{component_kind="source" component_id=journald_logs component_type=journald}: vector::sources::journald: Starting journalctl.
2025-02-26T14:18:59.666478Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/program.log
2025-02-26T14:18:59.667077Z TRACE source{component_kind="source" component_id=journald_logs component_type=journald}: mio::poll: registering event source with poller: token=Token(139816034895744), interests=READABLE | WRITABLE    
2025-02-26T14:18:59.667205Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/packaging.log
2025-02-26T14:18:59.667291Z TRACE source{component_kind="source" component_id=journald_logs component_type=journald}: mio::poll: registering event source with poller: token=Token(139816034896256), interests=READABLE    
2025-02-26T14:18:59.667958Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/storage.log
2025-02-26T14:18:59.668650Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/lvm.log
2025-02-26T14:18:59.669305Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/dnf.librepo.log
2025-02-26T14:18:59.669955Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/hawkey.log
2025-02-26T14:18:59.671491Z TRACE http: hyper::client::conn: client handshake Http1
2025-02-26T14:18:59.671702Z TRACE http: hyper::client::client: handshake complete, spawning background dispatcher task
2025-02-26T14:18:59.672368Z TRACE http: hyper::client::conn: client handshake Http1
2025-02-26T14:18:59.672392Z TRACE http: hyper::client::client: handshake complete, spawning background dispatcher task
2025-02-26T14:18:59.672444Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2025-02-26T14:18:59.672475Z TRACE http: hyper::client::pool: checkout dropped for ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.672527Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=GET, body=None
2025-02-26T14:18:59.672574Z DEBUG hyper::proto::h1::io: flushed 223 bytes
2025-02-26T14:18:59.672588Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2025-02-26T14:18:59.672668Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2025-02-26T14:18:59.672691Z TRACE http: hyper::client::pool: checkout dropped for ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.672719Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=GET, body=None
2025-02-26T14:18:59.672804Z DEBUG hyper::proto::h1::io: flushed 223 bytes
2025-02-26T14:18:59.672840Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2025-02-26T14:18:59.672921Z TRACE hyper::proto::h1::conn: Conn::read_head
2025-02-26T14:18:59.673172Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2025-02-26T14:18:59.673564Z  INFO source{component_kind="source" component_id=system_logs component_type=file}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/anaconda/dbus.log
2025-02-26T14:18:59.674126Z TRACE hyper::proto::h1::conn: Conn::read_head
2025-02-26T14:18:59.674167Z TRACE hyper::proto::h1::io: received 551 bytes
2025-02-26T14:18:59.674187Z TRACE parse_headers: hyper::proto::h1::role: Response.parse bytes=551
2025-02-26T14:18:59.674203Z TRACE parse_headers: hyper::proto::h1::role: Response.parse Complete(87)
2025-02-26T14:18:59.674231Z DEBUG hyper::proto::h1::io: parsed 2 headers
2025-02-26T14:18:59.674242Z DEBUG hyper::proto::h1::conn: incoming body is content-length (464 bytes)
2025-02-26T14:18:59.674259Z TRACE hyper::proto::h1::decode: decode; state=Length(464)
2025-02-26T14:18:59.674295Z DEBUG hyper::proto::h1::conn: incoming body completed
2025-02-26T14:18:59.674313Z TRACE hyper::proto::h1::conn: maybe_notify; read_from_io blocked
2025-02-26T14:18:59.674327Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Idle }
2025-02-26T14:18:59.674344Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Idle }
2025-02-26T14:18:59.674367Z TRACE http: hyper::client::pool: put; add idle connection for ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.674383Z DEBUG http: hyper::client::pool: pooling idle connection for ("https", 10.24.99.73:9200)
2025-02-26T14:18:59.674403Z DEBUG http: vector::internal_events::http_client: HTTP response. status=200 OK version=HTTP/1.1 headers={"content-type": "application/json; charset=UTF-8", "content-length": "464"} body=[464 bytes]

Example Data

{
"message": "<28>1 2025-02-25T19:46:40.887Z mx204-lab R6_RR_MPLS_LAB:rpd 23152 RPD_BGP_NEIGHBOR_STATE_CHANGED [[email protected] peer-name="10.11.11.68 (Internal AS 65545)" old-state="OpenConfirm" new-state="Established" event-type="RecvKeepAlive" instance="master"] BGP peer 10.11.11.68 (Internal AS 65555) changed state from OpenConfirm to Established (event RecvKeepAlive) (instance master)"
}

Additional Context

No response

References

No response
@nitzan-tz nitzan-tz added the type: bug A code related bug. label Feb 26, 2025
@pront
Copy link
Member

pront commented Feb 26, 2025

Hi @nitzan-tz, can you share the playground link please? Keep in mind that some vector events might have different shape and the path might not have a value.

@nitzan-tz
Copy link
Author

Hi,
This is the link

https://playground.vrl.dev/?state=eyJwcm9ncmFtIjoiICAgICAgLm1lc3NhZ2UgPSBzdHJpbmchKC5tZXNzYWdlKVxuICAgICAgaWYgKG1hdGNoKC5tZXNzYWdlLCByJy4qanVub3NAMjYzNi4xLjEuMS4yLjE0NCcpKSB7XG4gICAgICAgIC4gfD0gcGFyc2Vfc3lzbG9nISgubWVzc2FnZSlcbiAgICAgICAgLmp1bm9zX2V2ZW50X3RhZ3MgPSBkZWwoLlwianVub3NAMjYzNi4xLjEuMS4yLjE0NFwiKSAjIHJlbmFtZVxuICAgICAgfSIsImV2ZW50Ijp7Im1lc3NhZ2UiOiI8Mjg%2BMSAyMDI1LTAyLTI1VDE5OjQ2OjQwLjg4N1ogbXgyMDQtbGFiIFI2X1JSX01QTFNfTEFCOnJwZCAyMzE1MiBSUERfQkdQX05FSUdIQk9SX1NUQVRFX0NIQU5HRUQgW2p1bm9zQDI2MzYuMS4xLjEuMi4xNDQgcGVlci1uYW1lPVwiMTAuMTEuMTEuNjggKEludGVybmFsIEFTIDY1NTQ1KVwiIG9sZC1zdGF0ZT1cIk9wZW5Db25maXJtXCIgbmV3LXN0YXRlPVwiRXN0YWJsaXNoZWRcIiBldmVudC10eXBlPVwiUmVjdktlZXBBbGl2ZVwiIGluc3RhbmNlPVwibWFzdGVyXCJdIEJHUCBwZWVyIDEwLjExLjExLjY4IChJbnRlcm5hbCBBUyA2NTU1NSkgY2hhbmdlZCBzdGF0ZSBmcm9tIE9wZW5Db25maXJtIHRvIEVzdGFibGlzaGVkIChldmVudCBSZWN2S2VlcEFsaXZlKSAoaW5zdGFuY2UgbWFzdGVyKSJ9LCJpc19qc29ubCI6ZmFsc2UsImVycm9yIjpudWxsfQ%3D%3D

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A code related bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pront @nitzan-tz