Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fluent bit hasn't support multiline regexp for json-logs (docker) #1602

Closed
martiyanov opened this issue Sep 30, 2019 · 3 comments
Closed

Fluent bit hasn't support multiline regexp for json-logs (docker) #1602

martiyanov opened this issue Sep 30, 2019 · 3 comments

Comments

@martiyanov
Copy link

martiyanov commented Sep 30, 2019

Hi, I please add multiline support for docker logs.

It's enough add common regexp template for all lines after first.

I've tried use current regexp, but now it works only with first line, or only second but not all next lines. As result I have next output in logs:

2019-09-26 19:25:51.921  INFO 1 --- [or-http-epoll-4] v.a.ReactiveLifecycleAwareSessionManager : Scheduling Token renewal\n
{"log":"\n","stream":"stdout","time":"2019-09-26T16:25:54.06737985Z"}
{"log":"  .   ____          _            __ _ _\n","stream":"stdout","time":"2019-09-26T16:25:54.067645892Z"}
{"log":" /\\\\ / ___'_ __ _ _(_)_ __  __ _ \\ \\ \\ \\\n","stream":"stdout","time":"2019-09-26T16:25:54.067913144Z"}
{"log":"( ( )\\___ | '_ | '_| | '_ \\/ _` | \\ \\ \\ \\\n","stream":"stdout","time":"2019-09-26T16:25:54.0684343Z"}
{"log":" \\\\/  ___)| |_)| | | | | || (_| |  ) ) ) )\n","stream":"stdout","time":"2019-09-26T16:25:54.068746673Z"}
{"log":"  '  |____| .__|_| |_|_| |_\\__, | / / / /\n","stream":"stdout","time":"2019-09-26T16:25:54.068993666Z"}
{"log":" =========|_|==============|___/=/_/_/_/\n","stream":"stdout","time":"2019-09-26T16:25:54.069339259Z"}
{"log":" :: Spring Boot ::        (v2.1.6.RELEASE)\n","stream":"stdout","time":"2019-09-26T16:25:54.0702339Z"}
{"log":"\n","stream":"stdout","time":"2019-09-26T16:25:54.070396625Z"}

My configs:

    [FILTER]
        Name                kubernetes
        Match               kube.*
        Kube_URL            https://kubernetes.default.svc:443
        Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
        Kube_Tag_Prefix     kube.var.log.containers.
        Merge_Log_Key       log_processed
        Merge_Log           On
        Merge_Log_Trim      On
        K8S-Logging.Parser  On
        K8S-Logging.Exclude Off
    [FILTER]
        Name                nest
        Match               *
        Operation           lift
        Nested_under        kubernetes
        Prefix_with         kubernetes_
    [FILTER]
        Name                nest
        Match               *
        Operation           lift
        Nested_under        kubernetes_labels
        Prefix_with         kubernetes_labels_
    [FILTER]
        Name                modify
        Match               *
        Add                 index integration
        Rename              log event
        Hard_copy           kubernetes_labels_index index
        Copy                kubernetes_host host
        Copy                kubernetes_pod_name source
        Copy                kubernetes_namespace_name sourcetype
        Hard_copy           kubernetes_labels_sourcetype sourcetype
    [FILTER]
        Name                modify
        Match               *
        Condition           Key_value_equals kubernetes_container_name istio-proxy
        Hard_copy           kubernetes_container_name sourcetype 
    [FILTER]
        Name                record_modifier
        Match               *
        Whitelist_key event
        Whitelist_key host
        Whitelist_key source
        Whitelist_key index
        Whitelist_key sourcetype
    [INPUT]
        Name              tail
        Tag               kube.*
        Path              /var/log/containers/nc-wf-*.log
        Multiline         On
        Parser_Firstline  audit-firstline
        Parser_2          audit-line-2
        DB                /var/log/flb_kube.db
        Mem_Buf_Limit     5MB
        Skip_Long_Lines   On
        Refresh_Interval  10
    [OUTPUT]
        Name            splunk
        Match           *
        Host            ...
        Port            8088
        URI             /services/collector/event
        Splunk_Token    ...
        TLS             On
        TLS.Verify      Off
        Format          json
        Splunk_Send_Raw On

    [PARSER]
        Name        docker
        Format      json
        Time_Key    time
        Time_Format %Y-%m-%dT%H:%M:%S.%L
        Time_Keep   On
        # Command      |  Decoder | Field | Optional Action
        # =============|==================|=================
        Decode_Field_As   escaped_utf8    log    do_next
        Decode_Field_As   escaped         log    do_next
        Decode_Field_As   json            log

   [PARSER]
        Name        audit-firstline
        Format      regex
        #Regex       ^(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}(.|,)\d{3}) (?<message>.+)$
        #Regex       ^{"log":"(?<log>\S(?:(\\")|[^"]){9}(?:(\\")|[^"])*)"
        Regex       ^{"log":"(?<log>(?<time>\d{4}-\d{2}-\d{2}( |\T)\d{2}:\d{2}:\d{2}(.|,)\d{3})(?:(\\")|[^"]){9}(?:(\\")|[^"])*)"
@martiyanov martiyanov changed the title Fluent bit hasn't support for multiline json-logs (docker) Fluent bit hasn't support multiline regexp for json-logs (docker) Sep 30, 2019
@davie5201314
Copy link

I get the same problem,How to resolve it?

@martiyanov
Copy link
Author

martiyanov commented Jan 5, 2021 via email

@edsiper
Copy link
Member

edsiper commented Jul 20, 2021

Multiline Update

As part of Fluent Bit v1.8, we have released a new Multiline core functionality. This new big feature allows you to configure new [MULTILINE_PARSER]s that support multi formats/auto-detection, new multiline mode on Tail plugin, and also on v1.8.2 (to be released on July 20th, 2021) a new Multiline Filter.

For now, you can take at the following documentation resources:

Documentation pages now point to complete config examples that are available on our repository.

Thanks everyone for supporting this!

@edsiper edsiper closed this as completed Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants