You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi all! I've been parsing some VPC Flow Logs with VRL, and noticed that a chunk of them are being sidelined due to errors. All of the sidelined logs have unknown as the value for the account-id column, which is listed as possible in the AWS docs.
VRL appears to type account-id as an int64, which makes it fail to parse any VPC Flow logs where the account id is unknown. I believe parsing as int64 will also drop any leading 0 characters, which would make the output incorrect for any account id that has one or more leading zeroes.
Just thinking out loud here, but would it be feasible to mark the account ID as a string in this instance?
AWS have specified the key as a string type, and at face value I don't see any specific need for this to be an integer for the sake of manipulating the value.
That being said, I'm cognisant of the fact that there may be users that are handling these values specifically as integers. I'm not sure what they would be doing with this information, but I feel it's something to be mindful of.
I could just be overthinking this one.
I'm more than happy to handle a PR for this if changing Kind::integer to Kind::bytes is the agreed solution.
Hi all! I've been parsing some VPC Flow Logs with VRL, and noticed that a chunk of them are being sidelined due to errors. All of the sidelined logs have
unknown
as the value for theaccount-id
column, which is listed as possible in the AWS docs.VRL appears to type account-id as an int64, which makes it fail to parse any VPC Flow logs where the account id is unknown. I believe parsing as int64 will also drop any leading
0
characters, which would make the output incorrect for any account id that has one or more leading zeroes.Sample log with ENI and IPs obfuscated:
Let me know if you need any additional information!
The text was updated successfully, but these errors were encountered: