Added support to collect the timestamp from cloudwatch source and enrich the row if row does not have the timestamp

Author: ParthaI

tables/lambda_log/lambda_log_mapper.go

@@ -2,14 +2,14 @@ package lambda_log
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
-	"log/slog"
+	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
 
-	// "github.com/turbot/tailpipe-plugin-aws/rows"
-	// "github.com/turbot/tailpipe-plugin-sdk/table"
 	"github.com/turbot/tailpipe-plugin-sdk/mappers"
 )
 
@@ -20,70 +20,301 @@ func (m *LambdaLogMapper) Identifier() string {
 	return "lambda_log_mapper"
 }
 
+// JSON format for system logs as described in AWS docs
+// Contains "time", "type", and "record" fields
+// System logs are sometimes known as platform event logs
+// https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs-advanced.html#monitoring-cloudwatchlogs-logformat
+type jsonFormatSystemLog struct {
+	Time   string                 `json:"time"`
+	Type   string                 `json:"type"`
+	Record map[string]interface{} `json:"record"`
+}
+
+// JSON format for application logs as described in AWS docs
+// Contains "timestamp", "level", "message", and "requestId" fields
+// Generated by Lambda functions using supported logging methods
+// https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs-advanced.html#monitoring-cloudwatchlogs-logformat
+type jsonFormatApplicationLog struct {
+	Timestamp string `json:"timestamp"`
+	Level     string `json:"level"`
+	Message   string `json:"message"`
+	RequestID string `json:"requestId"`
+}
+
 func (m *LambdaLogMapper) Map(_ context.Context, a any, _ ...mappers.MapOption[*LambdaLog]) (*LambdaLog, error) {
 	row := &LambdaLog{}
 
-	rawRow := ""
-
+	var raw string
 	switch v := a.(type) {
 	case []byte:
-		rawRow = string(v)
+		raw = string(v)
 	case string:
-		rawRow = v
+		raw = v
 	case *string:
-		rawRow = *v
+		raw = *v
 	default:
-		return nil, fmt.Errorf("expected string, got %T", a)
+		return nil, fmt.Errorf("expected string or []byte, got %T", a)
 	}
 
-	slog.Error("rawRow ---->>>", rawRow)
+	// First unmarshal into a minimal structure to detect log type
+	var probe map[string]json.RawMessage
+	if err := json.Unmarshal([]byte(raw), &probe); err == nil {
+		// Check for system log keys (platform events with time, type, record structure)
+		if _, hasType := probe["type"]; hasType {
+			var systemLog jsonFormatSystemLog
+			if err := json.Unmarshal([]byte(raw), &systemLog); err != nil {
+				return nil, fmt.Errorf("error unmarshalling as system log: %w", err)
+			}
 
-	rawRow = strings.TrimSuffix(rawRow, "\n")
-	fields := strings.Fields(rawRow)
+			// Parse system log fields based on AWS JSON format for system logs
+			if t, err := time.Parse(time.RFC3339, systemLog.Time); err == nil {
+				row.Timestamp = &t
+			}
+			row.LogType = &systemLog.Type
+			if msgBytes, err := json.Marshal(systemLog.Record); err == nil {
+				message := string(msgBytes)
+				row.Message = &message
+			} else {
+				// fallback in case of marshal error
+				message := fmt.Sprintf("%v", systemLog.Record)
+				row.Message = &message
+			}
 
-	switch fields[0] {
-	case "START", "END":
-		row.LogType = &fields[0]
-		row.RequestID = &fields[2]
-	case "REPORT":
-		row.LogType = &fields[0]
-		row.RequestID = &fields[2]
-		duration, err := strconv.ParseFloat(fields[4], 64)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing duration: %w", err)
+			// Extract specific fields from platform event record
+			if requestId, ok := systemLog.Record["requestId"].(string); ok {
+				row.RequestID = &requestId
+			}
+			// Extract metrics from platform.report events
+			if metrics, ok := systemLog.Record["metrics"].(map[string]interface{}); ok {
+				if v, ok := metrics["durationMs"].(float64); ok {
+					row.Duration = &v
+				}
+				if v, ok := metrics["billedDurationMs"].(float64); ok {
+					row.BilledDuration = &v
+				}
+				if v, ok := metrics["memorySizeMB"].(float64); ok {
+					mem := int(v)
+					row.MemorySize = &mem
+				}
+				if v, ok := metrics["maxMemoryUsedMB"].(float64); ok {
+					mem := int(v)
+					row.MaxMemoryUsed = &mem
+				}
+			}
+
+			return row, nil
+		} else if _, hasLevel := probe["level"]; hasLevel {
+			// Fallback to application log (JSON format with timestamp, level, message, requestId)
+			var appLog jsonFormatApplicationLog
+			if err := json.Unmarshal([]byte(raw), &appLog); err != nil {
+				return nil, fmt.Errorf("error unmarshalling as application log: %w", err)
+			}
+
+			// Parse application log fields based on AWS JSON format for app logs
+			if t, err := time.Parse(time.RFC3339, appLog.Timestamp); err == nil {
+				row.Timestamp = &t
+			}
+			row.LogLevel = &appLog.Level
+			row.Message = &appLog.Message
+			row.RequestID = &appLog.RequestID
 		}
-		row.Duration = &duration
-		billed, err := strconv.ParseFloat(fields[8], 64)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing billed duration: %w", err)
+	} else if len(strings.Fields(raw)) >= 4 && isTimestamp(strings.Fields(raw)[0]) { // plain text application log
+		// Handle plain text application logs (format: timestamp requestID logLevel message)
+		// Example: 2024-10-27T19:17:45.586Z 79b4f56e-95b1-4643-9700-2807f4e68189 INFO some log message
+		fields := strings.Fields(raw)
+		// Timestamp
+		if t, err := time.Parse(time.RFC3339, fields[0]); err == nil {
+			row.Timestamp = &t
 		}
-		row.BilledDuration = &billed
-		mem, err := strconv.Atoi(fields[12])
-		if err != nil {
-			return nil, fmt.Errorf("error parsing memory size: %w", err)
+		// RequestID
+		var uuidRegex = regexp.MustCompile(`^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$`)
+		if uuidRegex.MatchString(fields[1]) {
+			row.RequestID = &fields[1]
 		}
-		row.MemorySize = &mem
-		maxMem, err := strconv.Atoi(fields[17])
+		// LogLevel
+		if slices.Contains([]string{"INFO", "DEBUG", "WARN", "ERROR", "FATAL", "TRACE", ""}, fields[2]) {
+			row.LogLevel = &fields[2]
+		}
+		// Message
+		if len(fields) >= 4 {
+			msg := strings.Join(fields[3:], " ")
+			row.Message = &msg
+		}
+	} else {
+		// Handle legacy plain text system logs (START, END, REPORT format)
+		row, err := parseLambdaPainTextLog(raw)
 		if err != nil {
-			return nil, fmt.Errorf("error parsing max memory used: %w", err)
+			return nil, fmt.Errorf("error parsing lambda pain text log: %w", err)
 		}
-		row.MaxMemoryUsed = &maxMem
-	default:
-		t := "LOG"
-		row.LogType = &t
+		row.Message = &raw
+	}
 
-		ts, err := time.Parse(time.RFC3339, fields[0])
-		if err != nil {
-			return nil, fmt.Errorf("error parsing timestamp: %w", err)
+	return row, nil
+}
+
+// parseLambdaPainTextLog handles the legacy plain text format for Lambda system logs
+// These include START, END, and REPORT messages that aren't in JSON format
+// Example:
+// START RequestId: 8b133862-5331-4ded-ac5d-1ad5da5aee81
+// END RequestId: 8b133862-5331-4ded-ac5d-1ad5da5aee81
+// REPORT RequestId: 8b133862-5331-4ded-ac5d-1ad5da5aee81 Duration: 123.45 ms Billed Duration: 124 ms Memory Size: 128 MB Max Memory Used: 84 MB
+func parseLambdaPainTextLog(line string) (*LambdaLog, error) {
+	log := &LambdaLog{}
+	now := time.Now().UTC()
+	log.Timestamp = &now
+
+	switch {
+	case strings.HasPrefix(line, "START RequestId:"):
+		// Parse START log line
+		log.LogType = ptr("START")
+		if id := extractAfter(line, "START RequestId: "); id != "" {
+			log.RequestID = ptr(strings.Fields(id)[0])
 		}
-		row.Timestamp = &ts
+		log.Message = ptr(line)
 
-		row.RequestID = &fields[1]
-		row.LogLevel = &fields[2]
-		strip := fmt.Sprintf("%s%s", strings.Join(fields[:3], "\t"), "\t")
-		stripped := strings.TrimPrefix(rawRow, strip)
-		row.Message = &stripped
+	case strings.HasPrefix(line, "END RequestId:"):
+		// Parse END log line
+		log.LogType = ptr("END")
+		if id := extractAfter(line, "END RequestId: "); id != "" {
+			log.RequestID = ptr(strings.Fields(id)[0])
+		}
+		log.Message = ptr(line)
+
+	case strings.HasPrefix(line, "REPORT RequestId:"):
+		// Parse REPORT log line which contains metrics
+		log.LogType = ptr("REPORT")
+		log.Message = ptr(line)
+
+		// Extract RequestId
+		if id := extractAfter(line, "REPORT RequestId: "); id != "" {
+			log.RequestID = ptr(strings.Fields(id)[0])
+		}
+
+		// Extract numeric metrics from REPORT line
+		if val := extractBetween(line, "Duration: ", " ms"); val != "" {
+			if f, err := strconv.ParseFloat(val, 64); err == nil {
+				log.Duration = &f
+			}
+		}
+		if val := extractBetween(line, "Billed Duration: ", " ms"); val != "" {
+			if f, err := strconv.ParseFloat(val, 64); err == nil {
+				log.BilledDuration = &f
+			}
+		}
+		if val := extractBetween(line, "Memory Size: ", " MB"); val != "" {
+			if i, err := strconv.Atoi(val); err == nil {
+				log.MemorySize = &i
+			}
+		}
+		if val := extractBetween(line, "Max Memory Used: ", " MB"); val != "" {
+			if i, err := strconv.Atoi(val); err == nil {
+				log.MaxMemoryUsed = &i
+			}
+		}
 	}
 
-	return row, nil
+	return log, nil
+}
+
+// ptr is a helper function to return a pointer to a value
+func ptr[T any](v T) *T {
+	return &v
+}
+
+// extractAfter extracts substring that comes after a specific prefix
+func extractAfter(s, prefix string) string {
+	idx := strings.Index(s, prefix)
+	if idx == -1 {
+		return ""
+	}
+	return strings.TrimSpace(s[idx+len(prefix):])
+}
+
+// extractBetween extracts substring between start and end strings
+func extractBetween(s, start, end string) string {
+	i := strings.Index(s, start)
+	if i == -1 {
+		return ""
+	}
+	i += len(start)
+	j := strings.Index(s[i:], end)
+	if j == -1 {
+		return ""
+	}
+	return strings.TrimSpace(s[i : i+j])
+}
+
+// isTimestamp checks if the input string matches any common Go time formats.
+// Used to identify if a plain text log starts with a timestamp
+func isTimestamp(s string) bool {
+	layouts := []string{
+		time.RFC3339,
+		time.RFC3339Nano,
+		time.RFC1123,
+		time.RFC1123Z,
+		time.RFC822,
+		time.RFC822Z,
+		time.RFC850,
+		"2006-01-02 15:04:05",        // Common log format
+		"2006-01-02 15:04:05.000000", // With microseconds
+		"2006-01-02T15:04:05",        // ISO-like without timezone
+		"2006-01-02T15:04:05Z07:00",  // ISO with TZ offset
+		"20060102T150405Z",           // AWS style compact
+	}
+
+	for _, layout := range layouts {
+		if _, err := time.Parse(layout, s); err == nil {
+			return true
+		}
+	}
+
+	return false
 }
+
+// Commented out legacy code
+// rawRow = strings.TrimSuffix(rawRow, "\n")
+// 	fields := strings.Fields(rawRow)
+
+// 	switch fields[0] {
+// 	case "START", "END":
+// 		row.LogType = &fields[0]
+// 		row.RequestID = &fields[2]
+// 	case "REPORT":
+// 		row.LogType = &fields[0]
+// 		row.RequestID = &fields[2]
+// 		duration, err := strconv.ParseFloat(fields[4], 64)
+// 		if err != nil {
+// 			return nil, fmt.Errorf("error parsing duration: %w", err)
+// 		}
+// 		row.Duration = &duration
+// 		billed, err := strconv.ParseFloat(fields[8], 64)
+// 		if err != nil {
+// 			return nil, fmt.Errorf("error parsing billed duration: %w", err)
+// 		}
+// 		row.BilledDuration = &billed
+// 		mem, err := strconv.Atoi(fields[12])
+// 		if err != nil {
+// 			return nil, fmt.Errorf("error parsing memory size: %w", err)
+// 		}
+// 		row.MemorySize = &mem
+// 		maxMem, err := strconv.Atoi(fields[17])
+// 		if err != nil {
+// 			return nil, fmt.Errorf("error parsing max memory used: %w", err)
+// 		}
+// 		row.MaxMemoryUsed = &maxMem
+// 	default:
+// 		t := "LOG"
+// 		row.LogType = &t
+
+// 		ts, err := time.Parse(time.RFC3339, fields[0])
+// 		if err != nil {
+// 			return nil, fmt.Errorf("error parsing timestamp: %w", err)
+// 		}
+// 		row.Timestamp = &ts
+
+// 		row.RequestID = &fields[1]
+// 		row.LogLevel = &fields[2]
+// 		strip := fmt.Sprintf("%s%s", strings.Join(fields[:3], "\t"), "\t")
+// 		stripped := strings.TrimPrefix(rawRow, strip)
+// 		row.Message = &stripped
+// 	}

tables/lambda_log/lambda_log_table.go

@@ -1,6 +1,7 @@
 package lambda_log
 
 import (
+	"regexp"
 	"time"
 
 	"github.com/rs/xid"
@@ -61,13 +62,25 @@ func (c *LambdaLogTable) EnrichRow(row *LambdaLog, sourceEnrichmentFields schema
 	// Record standardization
 	row.TpID = xid.New().String()
 	row.TpIngestTimestamp = time.Now()
-	if !row.TpTimestamp.IsZero() {
+	if row.Timestamp != nil {
 		row.TpTimestamp = *row.Timestamp
 		row.TpDate = row.Timestamp.Truncate(24 * time.Hour)
+	} else if !row.TpTimestamp.IsZero() {
+		row.TpDate = row.TpTimestamp.Truncate(24 * time.Hour)
 	}
 
 	row.TpIndex = schema.DefaultIndex
 
+	var arnRegex = regexp.MustCompile(`arn:aws:[^,\s'"\\]+`)
+
+	seen := map[string]struct{}{}
+	for _, match := range arnRegex.FindAllString(*row.Message, -1) {
+		if _, exists := seen[match]; !exists {
+			seen[match] = struct{}{}
+			row.TpAkas = append(row.TpAkas, match)
+		}
+	}
+
 	// TODO: Add enrichment fields
 
 	return row, nil