Troubleshooting Parsers

This topic provides guidance for troubleshooting issues related to parsers.

Lua Parser Errors

Lua parsers occasionally generate errors. If a parser enters a state where it generates multiple errors, these errors can hinder performance. Beginning with 11.4, a new option is available for Lua parsers that instructs the Decoder to automatically disable the parser after a configurable number of errors.

The value is set on the /decoder/parsers/config/parsers.options configuration node as shown in the following example:

Entropy="log2=true" GeoIP2="ipaddr=ip.src,ip.dst,ipv6.src,ipv6.dst" error_parser="errorMax=5" addy_parser="errorMax=10"

This configuration node enables you to set options for different parsers. In this example, the Lua parser error_parser is configured with a maximum error count of 5, and the addy_parser to 10. The errorMax setting has a valid range of values from 0 (meaning the feature is disabled) to 65,535, and takes effect when parsers are loaded or reloaded.

To disable a Lua parser after a defined number of errors:

  1. Go to ADMIN > Services, select a Decoder and then select netwitness_actiondd.png > View > Explore.
  2. In the left panel, expand decoder > parsers, and select config.
  3. In parsers.options, add the following command, where <any_parser> is the Lua parser for which you want to limit errors, and <n> is the number of errors to which the parser is limited:
    <any_parser>="errorMax=<n>"
  4. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.

Results of Automatically Disabling a Parser

When a parser is automatically disabled, a log message is generated (per parser thread) and states that the parser has been disabled, as shown in the following example:

(W) 2019-Apr-25 16:25:33 [Parse] Lua parser 'error_parser' has been disabled because it exceeded the configured error threshold (5)

If detailed statistics for parsers are enabled, the text of the last error is populated in the parser's detailed statistics under /decoder/parsers/definitions/<parser-name>. Also, a new attribute has been added to the XML returned by the /decoder/parsers?msg=schema call. When the parser is in an error state, the attribute error is set to 1 and the enabled attribute is set to 0. When the parser is reset, the values are reset to 0 and 1 respectively.

Resetting the Parser

If a parser is disabled because it has exceeded the error threshold, it can be reset by reloading the parser. This causes the statistics to reset so that if the faulty parser is still in place, it will function again until the error threshold is met.