The parse_syslog Remap function should produce an integer for procid

[binarylogic]

Process IDs, to my knowledge, are always integers. Therefore, the parse_syslog should produce an integer for the procid field.

[lucperkins]

@binarylogic Intuitively it absolutely seems like it should be an integer, but according to RFC 5424 it can also be NILVALUE, which in Syslog is -. So as far as I can tell it does need to be a string.

[jszwedko]

We could opt to parse - literally as null so that it could be represented as a null or integer in remap's type system. There is some precedence for this in #5489

[binarylogic]

That was going to be my suggestion, we should not preserve the - character.

[StephenWakely]

The ProcId doesn't necessarily have to be the pid, it can also hold the process name. I can't find any examples in the wild where the name is used, but it is possible according to the RFC.

The PROCID field is often used to provide the process name or process ID associated with a syslog system.

Current if it is a pid, this function is returning an integer:

$ $sys = parse_syslog("<133>Jun 13 16:33:35 haproxy[73411]: Proxy sticky-servers started.")
{ "appname": "haproxy", "facility": "local0", "message": "Proxy sticky-servers started.", "procid": 73411, "severity": "notice", "timestamp": 2020-06-13 15:33:35 UTC }

$ $sys.procid
73411

If it in a process name, it returns a string.

It doesn't do any special handling for - though, so this still needs to be done.

$ $sys = parse_syslog("<133>Jun 13 16:33:35 haproxy[-]: Proxy sticky-servers started.")
{ "appname": "haproxy", "facility": "local0", "message": "Proxy sticky-servers started.", "procid": "-", "severity": "notice", "timestamp": 2020-06-13 15:33:35 UTC }

$ $sys.procid
"-"

[binarylogic]

Didn't know that! Closing as a result.