Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Filter the logs by EVENT ID #34306

Closed
saiganeshkABI opened this issue Jul 30, 2024 · 5 comments
Closed

Unable to Filter the logs by EVENT ID #34306

saiganeshkABI opened this issue Jul 30, 2024 · 5 comments
Labels
needs triage New item requiring triage os:windows receiver/windowseventlog

Comments

@saiganeshkABI
Copy link

saiganeshkABI commented Jul 30, 2024
edited by crobert-1
Loading

Component(s)

receiver/windowseventlog

Describe the issue you're reporting

I have enabled the Windows Event Log receiver in the OTel collector. I'm unable to filter to only include the event logs coming from Event ID: 102.
waiting-for-author
config.yaml

  windowseventlog:
    channel: Microsoft-Windows-TaskScheduler/Operational
    attributes: {"service":"otel","source":"windows_event"}
    start_at: end
    operators:
    - type: filter
      expr: 'resource.Event.System.EventID == "102"'
    - type: retain
      fields: 
        - resource.Event.System.EventID
@saiganeshkABI saiganeshkABI added the needs triage New item requiring triage label Jul 30, 2024
@github-actions GitHub Actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot mentioned this issue Aug 6, 2024
Closed
@saiganeshkABI
Copy link
Author

waiting-for-author

@pjanotti
Copy link
Contributor

pjanotti commented Aug 7, 2024

I will try to repro it later today.

@pjanotti
Copy link
Contributor

pjanotti commented Aug 7, 2024

/label os:windows

This was referenced Aug 13, 2024
Closed
Closed
@pjanotti
Copy link
Contributor

pjanotti commented Aug 24, 2024
edited
Loading

The issue is due to incorrect specification of the filter, the following configuration works:

receivers:
  windowseventlog:
    channel: Microsoft-Windows-TaskScheduler/Operational
    attributes: {"service":"otel","source":"windows_event"}
    start_at: end
    operators:
    - type: filter
      expr: 'body.EventID == "102"'
    - type: retain
      fields:
        - body.event_id.id
exporters:
  debug:
    verbosity: detailed
service:
  pipelines:
    logs:
      receivers: [windowseventlog]
      exporters: [debug]

@djaglowski any suggestions on how to make the the operators expression more discoverable?

@open-telemetry/collector-contrib-triagers this issue can be closed.

cc @saiganeshkABI

@mx-psi mx-psi closed this as completed Aug 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage New item requiring triage os:windows receiver/windowseventlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mx-psi @pjanotti @saiganeshkABI