How to parse Snowflake log file?

Telegraf
, , ,
1

I’m trying to have Telegraf parse the log file of the local Snowflake instance. It usually looks like this:

nohup: Input is ignored
2023/07/24 20:09:24 Proxy starting
2023/07/24 20:10:19 NAT type: restricted
2023/07/24 21:11:24 In the last 1h0m0s, there were 3 connections. Traffic Relayed ↓ 69528 KB, ↑ 2418 KB.
2023/07/24 22:11:24 In the last 1h0m0s, there were 13 connections. Traffic Relayed ↓ 622101 KB, ↑ 46242 KB.
2023/07/24 23:51:55 In the last 1h0m0s, there were 4 connections. Traffic Relayed ↓ 23649 KB, ↑ 5311 KB.
2023/07/25 00:51:55 In the last 1h0m0s, there were 7 connections. Traffic Relayed ↓ 123722 KB, ↑ 11554 KB.
2023/07/25 01:51:55 In the last 1h0m0s, there were 2 connections. Traffic Relayed ↓ 124297 KB, ↑ 5029 KB.

Here’s my current config:

[[inputs.tail]]
  # file(s) to tail:
  files = ["~/snowflake/proxy/snowflake.log"]
  from_beginning = false

  # name of the "Metric" (which I want to see in Grafana eventually)
  name_override = "snowflake_log"
 
  grok_patterns = ["%{CUSTOM_LOG}"]

  grok_custom_patterns = '''
SNOWFLAKEDATE %{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}
CUSTOM_LOG %{SNOWFLAKEDATE:date} In the last 1h0m0s, there were %{NUMBER:snowflake_connections:int} connections. Traffic Relayed ↓ %{NUMBER:snowflake_downstream:int} KB, ↑ %{NUMBER:snowflake_upstream:int} KB.
'''
  data_format = "grok"

How can I tell Telegraf to ignore lines that include any of the following keywords?

  • nohup:
  • Proxy starting
  • NAT type:

Sometimes, however, there are also errors that include phrases like stream not found. How can I tell Telegraf to use the value 0 for snowflake_connections, snowflake_downstream and snowflake_upstream if the log line contains the phrase stream not found?

Thank you!

2

@pixelcode I’m not sure I do understand your target setting correctly… With your grok pattern, the nohup:, Proxy starting and NAT type: (or any line not matching your pattern) will be ignored as the grok parser will not find a pattern match. You can see this when running Telegraf with --debug as this will also show when a line was not matched.

If you want additional information (e.g. the errors you mention), you need to provide additional grok-patterns for those lines. If you want to fill-in missing fields you should use the default processor or if you need more sophisticated logic you should look into the starlark processor which can also generate additional metrics etc…

1 Like
3

The following processing seems to have solved it:

[[processors.defaults]]
  namepass = ["snowflake_metrics"]
  [processors.defaults.fields]
    snowflake_connections = 0
    snowflake_downstream = 0
    snowflake_upstream = 0

Also, I noticed that I Telegraf doesn’t recognise ~/snowflake/proxy/snowflake.log, but only /home/pi/snowflake/proxy/snowflake.log.

4

Also, I noticed that I Telegraf doesn’t recognise ~/snowflake/proxy/snowflake.log , but only /home/pi/snowflake/proxy/snowflake.log .

Well I guess you start Telegraf via systemd and thus the user that starts Telegraf is probably telegraf. So ~/snowflake/proxy/snowflake.log expands to ``/home/telegraf/snowflake/proxy/snowflake.log` or whatever the home-dir of that user is set to… :slight_smile:

1 Like