We have a few issues being reported that were previously categorized as errors (via the level attribute). We’ve started categorizing them as warnings now. When searching for level:error, however, these issues still show up in the results. Why does this happen and how do we fix it?
Without an example, I can only make assumptions here:
I’m assuming that this are the same as previous errors that we’ve seen. The log level doesn’t impact grouping. When using our search, we search for groups, not individual events. So what this means is if a group contains events that have both ERROR level and WARNING level, a search for level:error is going to return any group that contains any events that match that.
The only way to “fix” is to remove the bad data, or factor log level into your own grouping logic with fingerprinting.