fluent-plugin-multi-format-parser icon indicating copy to clipboard operation
fluent-plugin-multi-format-parser copied to clipboard

Published 20 hours ago verified publisher icon repeatedly

Multiple regexes

Open Pehesi97 opened this issue 6 years ago • 8 comments

My fluentd config has two regexes, but only the first one will match.

This is my .conf file.

<source>
  @type http
  port 8888
</source>

## live debugging agent
<source>
  @type debug_agent
  bind 127.0.0.1
  port 24230
</source>

<source>
	@type tail
	path /Users/pedro/.pm2/logs/fv-back-out*.log
	pos_file /Users/pedro/.pm2/logs/fv-back-response.log.pos
	tag fv-back
	<parse>
		@type multi_format
		<pattern>
			format regexp
			expression /(?<time>((\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2})\.(\d{3})) (\-|\+)(\d{2}):(\d{2})), \[(?<tags>(.)*response(.)*)\] data: (?<method>[^ ]+) (?<endpoint>[^ ]+) (?<query>[^ ]+) (?<payload>[^ ]+) (?<statusCode>[^ ]+) \((?<responseTime>[^ ]+)\) (?<credentials>[^ ]+)/
			time_format %Y-%m-%d %H:%M:%S.%L
			types time:time,tags:array,statusCode:integer
		</pattern>
		<pattern>
			format regexp
			expression /(?<time>((\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2})\.(\d{3})) (\-|\+)(\d{2}):(\d{2})), \[(?<tags>((.)*error(.)*))\] data: \[(?<statusCode>.*)\] (?<type>.*): (?<message>.*)/
			time_format %Y-%m-%d %H-%M-%S.%L
                	types time:time,tags:array,statusCode:integer
		</pattern>
	</parse>
</source>

<match fv-back*>
	@type copy

	<store>
		@type elasticsearch
		host localhost
		port 9200
		logstash_format true
	</store>

	<store>
		@type s3
		aws_key_id AKIAI3BKNP4PWLJW5PMQ
		aws_sec_key hoWhK+KzAKOwKuPszBkS8099Nuu8WZKJKo516XUY
		s3_bucket softruck.pm2.logs
		s3_region us-east-1
		path /

		<buffer time>
			@type file
			path /var/log/td-agent/s3_buffer
			timekey 3600
			timekey wait 10m
			timekey_use_utc true
			chunk_limit_size 256m
		</buffer>
	</store>
</match>

<match **>
	@type null
</match>

And this 2018-08-08 16:45:05 -0300 [warn]: #0 pattern not match: "2018-08-08 16:45:04.869 -03:00, [log,api,error] data: [500] SequelizeDatabaseError: relation \"daily_courses\" does not exist" is my Fluentd log.

Rubular says my regex should pass. Is there anything I'm doing wrong?

Pehesi97 avatar Aug 08 '18 19:08 Pehesi97

same issue here. wait for an answer.

ZhangSIming-blyq avatar Dec 16 '19 08:12 ZhangSIming-blyq

same issue here, can anyone help?

ggpaue avatar Feb 06 '20 07:02 ggpaue

You could try this plugin: https://github.com/sesame/fluent-plugin-regexp_multi

rsilva-rs avatar Apr 04 '20 20:04 rsilva-rs

We are having the same issue - is there a chance this will get fixed?

davelosert avatar Nov 12 '20 14:11 davelosert

We are having the same issue - is there a chance this will get fixed?

+1

ankit1mg avatar Apr 12 '21 16:04 ankit1mg

We are having the same issue - is there a chance this will get fixed?

+1

asdfII avatar Apr 23 '21 15:04 asdfII

Same issue. As anyone found a solution? @rsilva-rs plugin doesn't seem to exist anymore.

cm0s avatar Nov 03 '22 11:11 cm0s

I think this is not a bug. Issue author's problem is the mismatch between log body and time format.

Second expression matches 2018-08-08 16:45:04.869 -03:00, [log,api,error] data: [500] SequelizeDatabaseError: relation "daily_courses" does not exist but time field, 2018-08-08 16:45:04.869, is %Y-%m-%d %H:%M:%S.%L format, not %Y-%m-%d %H-%M-%S.%L. Put more <pattern> fixes this problem. If you have similar pattern not match log, check your expression/time_format combination for actual logs.

repeatedly avatar Nov 03 '22 14:11 repeatedly