fluent-plugin-multi-format-parser
fluent-plugin-multi-format-parser copied to clipboard
repeatedly
Possible incompatibility with grok parser's grok XML elements
Hi,
Thanks for the great plugin!
We may be attempting to configure it improperly esp. around the v0.14 changes, but are at a loss as to how to use <grok> elements from the grok plugin with this plugin?
For reference, the basic grok_pattern works well with separate individual <pattern>format grok</pattern>s.
Fluent Version: 0.14.14
Given the following config block:
<filter **>
@type parser
key_name log
reserve_data false
<parse>
@type multi_format
<pattern>
format grok
<grok>
# e.g. 2017-04-10 08:07:49.062 DEBUG [doot-boop,d0ea3905d59025c2,d0ea3905d59025c2,false] 17206 --- [ XNIO-2 task-5] io.undertow.session : Created session ... snip ...
pattern %{TIMESTAMP_ISO8601:time}%{SPACE}%{LOGLEVEL:level}%{SPACE}\[%{DATA:app_name},%{DATA:trace_id},%{DATA:span_id},%{DATA:export_to_zipkin}\]%{SPACE}%{NUMBER:pid}%{SPACE}---%{SPACE}\[%{SPACE}%{DATA:threadname}\]%{SPACE}%{JAVACLASS:classname}%{SPACE}:%{SPACE}%{GREEDYDATA:logmessage}
</grok>
<grok>
# e.g. 2017-03-27 22:15:59.861 DEBUG 5 --- [t-dispatcher-37] com.acme.aspects.LogAspect : snip\n
pattern %{GREEDYDATA:logmessage}
</grok>
</pattern>
<pattern>
format grok
</pattern>
</parse>
</filter>
When starting fluent we get:
2017-04-11 22:22:13 +0000 [info]: adding filter pattern="**" type="parser"
2017-04-11 22:22:13 +0000 [info]: #0 Expanded the pattern into (?<time>(?>\d\d){1,2}-(?:0?[1-9]|1[0-2])-(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[T ](?:2[0123]|[01]?[0-9]):?(?:[0-5][0-9])(?::?(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))?(?:Z|[+-](?:2[0123]|[01]?[0-9])(?::?(?:[0-5][0-9])))?)\s*(?<level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))\s*\[(?<app_name>.*?),(?<trace_id>.*?),(?<span_id>.*?),(?<export_to_zipkin>.*?)\]\s*(?<pid>(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))\s*---\s*\[\s*(?<threadname>.*?)\]\s*(?<classname>(?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+)\s*:\s*(?<logmessage>.*)
2017-04-11 22:22:13 +0000 [info]: #0 Expanded the pattern into (?<logmessage>.*)
2017-04-11 22:22:13 +0000 [error]: #0 config error file="/etc/fluent/fluent.conf" error_class=Fluent::ConfigError error="no grok patterns. Check configuration, e.g. typo, configuration syntax, etc"
hi r4j4h
i am facing the same issue from 3 days if you get solution for this kindly help me .
Ramya
I was banging my head on this all evening. Turns out when you install the parser plugin, it defaults to newer version & loads td-agent 0.14.20. So if you want a working version, you have to stay on 0.12.x and force load an older version of the plugin.
td-agent-gem uninstall fluent-plugin-grok-parser --version=2.1.4 td-agent-gem install fluent-plugin-grok-parser --version=1.0.0 td-agent-gem install fluentd --version=0.12.39
Sorry for too late response.
First case, the problem is second <pattern>.
This doesn't have <grok> element and it causes "no grok patterns".
Adding <grok> to second <pattern> avoids the problem.
