datadog facet path with special symbols

Question

I have an index created on the log and the paths have special character : for example:

@params.rs:orgId
@params.rs:format

Sample URL:

10.32.45.56 - user [12/Sep/2020:06:25:51 -0400] "GET /v1/resources/manifestinfo?rs:format=json&rs:orgId=123&rs:correlationId=39e8f697-3549-a142-224b-251fc6672a94-32edb97dc3f8 HTTP/1.1" 200 14002 - -

grok parser:

rule1 %{ipv4:network.client.ip}\s+-\s+%{word:user}\s+\[%{date("dd/MMM/yyyy:HH:mm:ss Z"):date}\]\s+\"%{word:http.module}\s+\/v1\/resources\/+%{word:onemds.module}\?+%{data:onemds.params:keyvalue("=","/:","","&")}

when I try to add facet for @params.rs:orgId

I am getting error as

An error occurred while saving the facet: The Facet path must contain only letters, digits, or the characters - _ . @ $

score 0 · Answer 1 · edited Sep 15 '20 at 22:09

got this resolved with below

rule1 %{ipv4:network.client.ip}\s+-\s+%{word:user}\s+\[%{date("dd/MMM/yyyy:HH:mm:ss Z"):date}\]\s+\"%{word:http.module}\s+\/v1\/resources\/+%{word:onemds.module}\?+%{data:onemds.params:keyvalue("=","/:","",":&")}

was never expecting the delimiter that can take 2 characters above :&

this helped to remove rs: for all except the first one. not an elegant approach but it worked for my use case.

datadog facet path with special symbols

1 Answers1