RETIRED, TripleO CI Health logstash and regex queries for logs.
Go to file
2021-04-16 11:59:31 +00:00
.github/workflows Validate query schema (#6) 2021-01-18 14:19:55 +00:00
build WIP 2020-12-03 13:04:13 +00:00
output Added current sova patterns from artcl (#9) 2021-02-22 11:53:11 +00:00
src Changing source url for queries from github to opendev as the project has moved from github to opendev. 2021-03-05 15:08:37 +01:00
zuul.d Move zuul jobs to system-config queue 2021-04-16 11:18:50 +01:00
.gitignore Improved test dependencies management 2021-04-15 16:12:21 +01:00
.gitreview Bootstrap zuul and gerrit config 2021-03-04 11:52:25 +00:00
.pre-commit-config.yaml Enable pre-commit 2021-01-12 13:27:43 +00:00
.yamllint.yaml Enable pre-commit 2021-01-12 13:27:43 +00:00
bindep.txt Improved test dependencies management 2021-04-15 16:12:21 +01:00
LICENSE Initial commit 2020-12-03 12:50:14 +00:00
README.md Validate query schema (#6) 2021-01-18 14:19:55 +00:00
requirements.in Improved test dependencies management 2021-04-15 16:12:21 +01:00
requirements.txt Improved test dependencies management 2021-04-15 16:12:21 +01:00
tox.ini Improved test dependencies management 2021-04-15 16:12:21 +01:00

queries

Hosts reusable log queries which are built into a single queries.json file.

Query database structure

Queries are defined using the data model from src/model.py which builds a JSON Validation schema, making easy to validate the file.

One example of file can be seen at queries-example.yml

Both elastic-search and artcl can make use of regex searches.

Pattern is supposed to be an exact string match and if multiple are present we could easily convert them into a regex or logstash expression that uses logical AND.

Pattern

On elastic-rechheck queries we have cases with multiple entries used on patterns, like message:foo AND message:bar. This is why we also allow a list of strings.

Categories

A query can have only one category out of a determined list of possible values, currently infra and code are allowed. These can be used to list found matches in section, making them easier to read.

Tags

Tags are also used to build the logstash queries. List of known values already used inside elastic-recheck queries:

tags:
  - console
  - console.html
  - devstack-gate-setup-host.txt
  - grenade.sh.txt
  - job-output.txt
  - screen-c-api.txt
  - screen-c-bak.txt
  - screen-n-cpu.txt
  - screen-n-sch.txt
  - screen-q-agt.txt
  - syslog.txt

When logstash query is build OR is used between multiple tags.

Uncovered cases:

We do not currently support the exclusions like below (2/93 found):

query: >-
  message:"RESULT_TIMED_OUT: [untrusted : git.openstack.org/openstack/tempest/playbooks/devstack-tempest.yaml@master]" AND
  tags:"console" AND NOT
  (build_name:"tempest-all" OR
   build_name:"tempest-slow" OR
   build_name:"tempest-slow-py3")  

query2: >-
  (message: "FAILED with status: 137" OR
  message: "FAILED with status: 143" OR
  message: "RUN END RESULT_TIMED_OUT") AND
  NOT message:"POST-RUN END RESULT_TIMED_OUT" AND
  tags: "console"  

To allow us to cover for corner cases not covered byt the generic format, we could have an optional logstash key that mentions the query. When this would be present, we woudl avoid building the logstash query ourselves and just use it.

Disable queries per backend

To avoid using a particular query on a particular backend we can make use of skip: ['er', 'artcl'].