Skip to content

fix: stable JSON log pattern hashing using message-field extraction#16

Merged
blue4209211 merged 1 commit into
mainfrom
fix/json-log-pattern-hashing
Mar 10, 2026
Merged

fix: stable JSON log pattern hashing using message-field extraction#16
blue4209211 merged 1 commit into
mainfrom
fix/json-log-pattern-hashing

Conversation

@mayankpande88

Copy link
Copy Markdown
Contributor

Summary

  • normalizeJSONLog: Extract patterns only from recognized message fields (msg, message, error, err, reason, log, text) with case-insensitive key matching, instead of dumping all JSON values. Falls back to all values with a 200-char per-field cap when no message key is found.
  • TestParser: Fix test data — literal "Key" doesn't match any sensitive pattern regex (requires 10+ char credential). Now uses AKIAIOSFODNN7EXAMPLE. Sleep reduced from 10s to 3s.

Problem

  1. Empty hash collisions: Large data blobs (HTML, XML, stack traces) in JSON fields overwhelmed the pattern extractor, producing empty patterns that all hashed to d41d8cd9... (MD5 of empty string)
  2. Unstable hashes: Metadata fields (timestamps, trace IDs, file paths, account IDs) changed between log entries from different pods/times, producing different hashes for the same error
  3. TestParser always failing: Test credential "Key" was too short to match any sensitive pattern regex

Test plan

  • All 33 existing + new tests pass
  • TestJsonPatternRealLokiLogs — 13 hand-picked production logs (Go zerolog, Python, custom JSON)
  • TestJsonPatternBulkLokiLogs — 459 unique production logs from Loki, 0 empty-hash violations
  • TestJsonPatternMessageFieldOnly — hash stability across metadata changes
  • TestJsonPatternCaseInsensitiveKeysMessage, message, MSG all work
  • TestJsonPatternFallback — no-message-key path still works
  • TestJsonPatternWithErrorField — error field differentiation
  • TestParser — now passes (was permanently broken before)

normalizeJSONLog was dumping all JSON field values into the pattern,
causing empty hashes when large data blobs (HTML, stack traces)
overwhelmed the extractor, and unstable hashes when metadata fields
(timestamps, trace IDs, file paths) changed between log entries.

Now extracts patterns only from recognized message fields
(msg, message, error, err, reason, log, text) with case-insensitive
key matching, following industry standard (Datadog, New Relic, Elastic).
Falls back to all values with a per-field length cap when no message
key is found.

Also fixes TestParser: test data didn't match any sensitive pattern
regex (literal "Key" vs required 10+ char credential).
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants