QUESTION

I have log event field values that are sometimes a string and sometimes an array, which causes parsing failures. The field type changes between individual logs. How do I handle this so the logs can pass schema validation?

ANSWER

When you encounter parsing errors due to inconsistent field types (like a field that is sometimes a string and sometimes an array), you can use a parser script to handle the data type variations before schema validation occurs.

In your parser script, you can check the data type of the problematic field and normalize it to match your schema definition. For example, if your schema expects an array but sometimes receives a string, you can convert single string values into arrays.