chore: RFC for handling discarded events

[bruceg]

Rendered

Ref: #1772 #12217 #13549 #16432 #16432 #17962

[netlify]

✅ Deploy Preview for vector-project canceled.

Name	Link
🔨 Latest commit	861bf04
🔍 Latest deploy log	https://app.netlify.com/sites/vector-project/deploys/63634bbc418f2500081eb788

[spencergilbert]

I find the names used here awkward, but admittedly don't have any suggestions.

[jszwedko]

An alternative name for disposition could be on_error (or on_discard).

[bruceg]

It could be, but only as applies to the error output. The proposed disposition applies to all named outputs, including from the datadog_agent source and the remap transform.

[spencergilbert]

Yes! 👍

[sweeneyb]

Yes. This feels similar to firewall/WAF products having "advisory" and "blocking" mode. As a learner, it's nice to get things up and running and be warned of dangerous configurations. Once I'm comfortable and depending on the product, I want a "strict" mode that more forcefully calls things out.

[spencergilbert]

🤔 if we're forcing it to be handled, I would think they could be counted like we do with other event streams - events/bytes sent/received. Practically, that seems like a hard sell given the work we've just put into the discarded metrics and compatibility with the ui.

[tobz]

Yeah, I agree that if we're not dropping them on the floor, then they aren't really discarded... just routed elsewhere.

Although maybe with true discarded event handling, "discarded" metrics would simply be the indication of how many discarded events were sent by that component, and then if the event made it to a component where we just dropped/rejected it, without further daisy chained error outputs... that would be when we emit an actual error metric?

Dunno, I feel like we could argue the definition of this stuff until the cows come home.

[jszwedko]

Hmm, yeah, the relationship between this and the discarded event metric will require some thought.

[kushalhalder]

I agree with tobz here. In the data flow from source to sink, since all the components are sending an event to the next component, the final discard event will be thrown by the last component.
I see the importance of the discarded metrics, it gives the true number of the events. Subsequent metrics from the dlq component helps us understand the lag behind discarded and writes to dlq, and the loss in these events too. We will need indicators, for example: the difference between the number of discarded events versus the discarded events written to the dlq component. These numbers need to be close to zero in a given window.

TL;DR: we need discarded events metrics, and some more.

[lukesteensen]

Is this type of failure possible in cases other than a non-graceful shutdown (i.e. panic)?

[bruceg]

Maybe, at the end of a graceful shutdown where components are being forcefully terminated. I think we could still send the data to the discard output in hopes it is still connected, and/or mark them as failed.

[lukesteensen]

If we're already forcefully terminating components then it seems unlikely that we'd be able to successfully send the events anywhere. I ask mostly because this would be a failure case that'd apply to every source and transform, even those that may not have any other way of dropping event, and I'd rather focus this feature around the components where there's a more meaningful type of failure possible.

[lukesteensen]

How will this relate to the existing errors output from the remap transform?

[bruceg]

I'm not exactly sure. I am of the mind that it should be split between errors and discards (ie abort), but that introduces a significant breaking change. If, on the other hand, we call the new output errors, this works for remap but not everything that is discarded is an error.

[bruceg]

Ah, nevermind, the remap transform already has a dropped output that is what we need, so I think all the rest of this RFC is about errors in particular and not generic "discards".

[lukesteensen]

Do you see this config applying to other outputs in the future? It sounds like we're only talking about a single hardcoded discards output, so I'm not sure that we need to nest the configuration in such a way that implies it could be applied to other outputs as well.

What's the benefit of outputs.NAME.disposition vs something like on_discard = {send,drop,reject}?

[bruceg]

We have some sources, like datadog_agent IIRC, that already have multiple outputs. If users do not want to wire up one of those outputs and we enforce that all outputs be handled, then now they need a blackhole for that output as well because we special-cased the discard handling. With the generic handling, all cases are covered.

[lukesteensen]

That's a good point, I didn't consider the effect on those sources. I am still a little bit hesitant to have configuration that refers to a named output that won't actually exist (when configured to drop or reject), since that could result in some confusion. I'm not sure I have a great alternative though, aside from introducing separate config on those sources that controls which events types are emitted.

[tobz]

This is looking good so far, but I had a few clarifying questions to make sure I understand the scope.

[tobz]

These make sense individually, but I find it... let's call it "weird", that I could have a component which selects another component's discards output but then that upstream component could basically just disable the sending of those discarded events even though I've named that output specifically?

If that's not the intention, then maybe this is just a docs problem, but that was my initial impression seeing these three distinct options.

[bruceg]

That will be something caught by the configuration verification stage, that "handled" outputs are not named as an input. This is an issue I discussed later in the document in "Alternatives" as not having a great solution IMO.

[tobz]

This section confuses me a little bit.

Why would a sink be needed if operators can control the output behavior at the component itself? Which is to say, if a source can configure its discarded events output to drop or reject... why would we ever set up a downstream component to collect those events unless it was actually going to do something with them?

[bruceg]

The "without any help from Vector" is trying to say that we are not helping sinks by allowing a source to configure its output to drop or reject. I will try to reword to clarify.

[tobz]

Yeah, I agree that if we're not dropping them on the floor, then they aren't really discarded... just routed elsewhere.

Although maybe with true discarded event handling, "discarded" metrics would simply be the indication of how many discarded events were sent by that component, and then if the event made it to a component where we just dropped/rejected it, without further daisy chained error outputs... that would be when we emit an actual error metric?

Dunno, I feel like we could argue the definition of this stuff until the cows come home.

[jszwedko]

Nice write-up!

[jszwedko]

An alternative name for disposition could be on_error (or on_discard).

[jszwedko]

I wonder if we could have global configuration for the disposition as well? That might simplify it for simple use-cases. Like setting disposition = "drop" at the global level and have it apply to all components.

Could also do the same at the component level for those that already have multiple outputs in addition to letting them configure the disposition per-output.

[jszwedko]

This seems like another area that could benefit from having a copy-on-write data structure for events to avoid a full clone (I know we do have this optimization now for when the event is completely unchanged, which should help here too).

[jszwedko]

I think my suggestion above of allowing global configuration of the disposition would allow users to slowly take advantage of this new behavior component-by-component.

[jszwedko]

Hmm, yeah, the relationship between this and the discarded event metric will require some thought.

[jszwedko]

Are there any cross-cutting concerns between these new, conditional, error outputs and the configuration schema?

[jszwedko]

What will be the format of the events flowing to the errors output? Will we follow the precedent set by the remap transform of wrapping the event with some additional metadata about the failure? I think it'd be good to call that out explicitly in here.

[jszwedko]

Maybe this should take advantage of the new metadata namespacing too? That feature will only exist for logs, but we could extend it to metrics and traces. Also will we offer any guarantees about the metadata, if we do include it? I could see users starting to route on it based on the type of failure. I'd suggest we push back on that clearly document that the metadata is opaque and just for human consumption for now.

[sweeneyb]

To validate your intuition, I would be tempted to route based on the metadata from an error. Hopefully a specific example will help:

Kafka sinks can throw errors when the broker sees a message that's too large. I'm finding it difficult to know the exact message size before sending, so it's hard to build a filter upstream. I could see handling this situation by routing the error. I might route to a console log or split the message and try again.

At a minimum, I could also envision using the error data to know whether dropping the message is okay or if I need to trigger alerts.

[spencergilbert]

This should be entirely accounted for by end-to-end acknowledgements? Or is there a gap I'm not thinking of?

[jszwedko]

This is making me realize that end-to-end acks is another cross-cutting concern here.

[bruceg]

Noted.

[kushalhalder]

The situation here plays around like this: For an event, i.e, after all the retries have exhausted, will be marked as discarded. For a discarded event, the following will happen:

1. Push to DLQ with retries
2. If the write to DLQ was successful, acknowledge to the source for this event.
3. if write to DLQ failed, drop the event and acknowledge to the source for this event.
   Is this a fair understanding?

[spencergilbert]

I wonder if we should lean into existing nomenclature, namely "dead letter queues", to make this feel more familiar to users.

[spencergilbert]

Store here is for events that are going to passed to a downstream component?

[bruceg]

Correct. I'll note that.

[netlify]

❌ Deploy Preview for vrl-playground failed.

Name	Link
🔨 Latest commit	861bf04
🔍 Latest deploy log	https://app.netlify.com/sites/vrl-playground/deploys/63634bbc94e212000abde16c

[neuronull]

Suggested change

	- Handling discarded events in any way will change the interpretation of several exiting internal
	- Handling discarded events in any way will change the interpretation of several existing internal

[fuchsnj]

Overall I'm looking at what I assume are the two most common situations I think users would want.

1. A new user trying out things, who just wants to see Vector work. They don't care about errors and want them to just drop. Forcing them to create sinks to consume all errors is cumbersome / annoying. There should be an easy way to disable errors.

2. A more enterprise user that is concerned about events being dropped due to errors and wants to have a single sink that stores all the errors somewhere (s3 / kafka / etc).

   • What does the config look like here. If there are 50 components in a config, do they have to individually list out every single error output in the one sink? That seems very tedious (even if Vector enforces all the error outputs are used).
   • Once Vector is running and starts getting errors collected, the first question I have is, what failed? Do we have information on which error occurred, which component it failed in?
   • Will the events be in a format where I can re-ingest the events. Lets say there was an outage / config error which caused millions of logs to be dead-lettered. The issue was fixed, and I now want to re-process all the dead-lettered events. (I assume this is out of scope, but it's good to at least think about)

[benzaita]

It's a bit out of scope for this RFC, but very much related -- adding an event output for events that successfully went through a sink would allow customers to provide better observability into events that were successfully delivered. For example, we would like to extract metrics from delivered events so we can show our customers how many events we successfully delivered. As it is now, we can only do that before the sink.

[tobz]

Feel free to file an issue about this, but as worded, it sounds like what you're looking for are the existing component metrics such as component_sent_events_total, which sinks do emit.

[benzaita]

I think this might clarify what I meant: #14708 (comment)

[jszwedko]

Note we will probably need to resolve #14969 as part of this work as it will make the incorrect type definitions much more common.

[inftl]

Ideally this is also supported in sinks. Since a sink can fail inserting, it would be nice to have a backup sink.