Ip matcher for LogQL #3986

kavirajk · 2021-07-12T22:44:18Z

What this PR does / why we need it:

This PR adds buiilt-in IP matcher support for LogQL. It adds filter ip(pattern). It works with both IPv4 and IPv6 and can be used as both label_filter and line_filter

pattern can be one of the following.

Single IP - e.g: 192.168.0.1, ::1
IP Range - e.g: 192.168.0.1-192.189.10.12, 2001:db8::1-2001:db8::8
CIDR - e.g: 192.168.4.5/16, 2001:db8::/32

Example queries:

`{ foo = "bar" }|=ip("192.168.4.5/16")
{ foo = "bar" }|logfmt|addr=ip("192.168.4.5/16")
{ foo = "bar" }|logfmt|remote_addr=ip("2001:db8::1-2001:db8::8")|level="error"

Which issue(s) this PR fixes:
Fixes #2722

Special notes for your reviewer:
Based on the design doc

Checklist

Documentation added
Tests updated

pkg/logql/log/ip_test.go

pkg/logql/expr.y

cyriltovena · 2021-07-13T10:53:10Z

pkg/logql/log/ip.go

+func (ipf *IPFilter) Process(line []byte, lbs *LabelsBuilder) ([]byte, bool) {
+
+	// make sure the pattern provided was valid, even before trying to match.
+	if ipf.patternError != nil {


This can be spotted before and so should return an error during query parsing.

Yea. thought about that actually. My previous implementation had thrown this error during constructor of NewIPFilter() but while writing grammar, there was no way to handle that error while creating the LabelFilter expression!. So I changed it to like this.

May be I'm missing something about handling this error during the parse stage?. Can you point me any example?

You can use the Stage() method of this expr, it can return an errors and will be considered as 400.

pkg/logql/log/ip.go

cyriltovena

Looking good ! I've left some comments.

kavirajk · 2021-07-13T15:22:11Z

@cyriltovena addressed your comments. can you take a look again? thanks

dannykopping

Generally looks good! Left a couple nits.

Also:
https://admin-dev-us-central-0.grafana.net/grafana/explore?orgId=1&left=%5B%22now-1h%22,%22now%22,%22loki-boltdb-shipper%22,%7B%22exemplar%22:true,%22expr%22:%22count%20by%20(the_real_ip)%20(count_over_time(%7Bcontainer%3D%5C%22ingress-nginx%5C%22%7D%20%7C%20json%20%7C%20the_real_ip%20%3D%20ip(%5C%2210.0.0.1-8.0.0.1%5C%22)%5B1m%5D))%22%7D%5D

When using an invalid IP range ip("10.0.0.1-8.0.0.1") i'm returned "query error EOF"; I think we should improve that UX by returning a more clear error.

dannykopping · 2021-07-15T08:50:26Z

docs/sources/logql/ip.md

+Consider the following logs,
+
+```
+3.180.71.3 - - [17/May/2015:08:05:32 +0000] "GET /downloads/product_1 HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"
+80.91.33.133 - - [17/May/2015:08:05:14 +0000] "GET /downloads/product_1 HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.16)"
+46.4.66.76 - - [17/May/2015:08:05:45 +0000] "GET /downloads/product_1 HTTP/1.1" 404 318 "-" "Debian APT-HTTP/1.3 (1.0.1ubuntu2)"
+93.180.71.3 - - [17/May/2015:08:05:26 +0000] "GET /downloads/product_1 HTTP/1.1" 404 324 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"
+```
+
+How would you use LogQL to search for log lines with IP addresses?. Say single IP to start with? That's easy, we can use LogQL line filter (kinda like distributed grep)
+
+```logql
+{foo="bar"} |= "3.180.71.3"
+```
+
+will output following log lines.
+
+```
+3.180.71.3 - - [17/May/2015:08:05:32 +0000] "GET /downloads/product_1 HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"
+93.180.71.3 - - [17/May/2015:08:05:26 +0000] "GET /downloads/product_1 HTTP/1.1" 404 324 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"
+```
+
+but wait! what `93.180.71.3` is doing here?. Oh yea. it actually matches with what we queried for `3.180.71.3`. It can also match with other log lines which we don't actually want. The right option would be to use regexp to match the IP address(something like `|~"^3.180.71.3"`).
+
+Now forget about single IP, what about range of IP addresses? What about IP subnet? Or even more interesting IPv6 addresses? (not easy to come up with regexp for all the use cases).
+
+Luckily, LogQL comes with built-in support for IP matcher.


I don't think we need to present the need for the parser; I think that's relatively self-explanatory.

dannykopping · 2021-07-15T08:53:34Z

docs/sources/logql/ip.md

+- Label Filter
+
+```logql
+{ foo = "bar" }|logfmt|remote_addr=ip("2001:db8::1-2001:db8::8")|level="error"


Let's format these queries to make them more readable:

{ foo = "bar" } | logfmt | remote_addr=ip("2001:db8::1-2001:db8::8") | level="error"

pkg/logql/expr.y

pkg/logql/log/ip.go

pkg/logql/ast.go

cyriltovena

LGTM

cyriltovena · 2021-07-21T06:35:57Z

@dannykopping @KMiller-Grafana Are we good to go ?

KMiller-Grafana · 2021-07-21T16:57:50Z

Looks good to me. I've added an extra task to my personal to-do list to correct the weights in the docs files associated with this PR after this PR is merged in.

cyriltovena · 2021-07-22T06:37:39Z

@kavirajk can up resolve conflicts and regenerate the y.go files.

Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

1. ast tests 2. parse tests Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

1. support NEQ 2. reduce allocation. 3. Minor tweaks Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

1. Add necessary interface implementation 2. More tests for parser and ast Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

Its wierd bug. Not handing string() method breaks the parser :( Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

It got out of hands to handle both in same struct. Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>

1. Indendation fix 2. Remove string() interface for ip label filte

kavirajk · 2021-07-22T09:53:49Z

@cyriltovena conflicts resolved. Can you merge it?

pull-request-size bot added the size/XXL label Jul 12, 2021

kavirajk requested a review from a team July 13, 2021 07:51