fluent / fluent-bit

Fast and Lightweight Logs and Metrics processor for Linux, BSD, OSX and Windows
https://fluentbit.io
Apache License 2.0
5.83k stars 1.58k forks source link

Words in square blackets can not filter #7668

Closed plko345 closed 10 months ago

plko345 commented 1 year ago

Is your feature request related to a problem? Please describe.

use fluent-bit:2.1.4 from docker HUB, collect Elasticsearch server log file, format example

[2023-07-07T10:43:42,123][INFO ][a.b.c.e.Sth] [node-name]  [xxxxx][0] xxxxxxxxxxxxxxxxxxxxxxxxx
[2023-07-07T10:43:42,123][DEBUG][a.b.c.e.Sth] [node-name]  [xxxxx][0] xxxxxxxxxxxxxxxxxxxxxxxxx
org.elasticsearch.index.xxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    at org.elasticsearch.index.xxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

parser

[MULTILINE_PARSER]
    name          multiline-regex-test
    type          regex
    flush_timeout 1000
    # rules |   state name  | regex pattern                  | next state
    # ------|---------------|--------------------------------------------
    rule      "start_state"   "/^\[\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}\:\d{2},\d{3}\]\[(INFO|WARN|ERROR)\s*\].+/"  "cont"
    rule      "cont"          "/^(?!^\[\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}\:\d{2},\d{3}\]).+/"                     "cont"

[PARSER]
    Name named-capture-test
    Format regex
    Regex /^\[(?<date>\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}\:\d{2},\d{3})\](?<message>.*)/m

elasticsearch.conf example:

[INPUT]
    Name tail
    Tag     elasticsearch.*
    Path   /path/to/elasticsearch/*.log
    multiline.parser multiline-regex-test

[FILTER]
    name             parser
    match            elasticsearch.*
    key_name         log
    parser           named-capture-test

fluent-bit should not collect DEBUG line, but it does, example

elasticsearch.path.to.some_name.log: [1688****.****, {"log": "[2023-07-07T10:43:42,123][DEBUG][o.e.a.s.TransportSearchAction] [nodename] [*******][0], node[*******]*********************", ******}]
elasticsearch.path.to.some_name.log: [1688****.****, {"log": "org.elasticsearch.transport.RemoteTransportException: [nodename][10.1.1.1:9300][indices:data/read/search*******]] Caused by:",******}]
elasticsearch.path.to.some_name.log: [1688****.****, {"date": "2023-07-07T10:43:42,123", "message": "***************"}]

Describe the solution you'd like

I try to add FILTER, but does not work, and I flound any word in square blackets [] will not work also

[FILTER]
    name             grep
    match            elasticsearch.*
    exclude         log      DEBUG

Describe alternatives you've considered

Additional context

github-actions[bot] commented 10 months ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] commented 10 months ago

This issue was closed because it has been stalled for 5 days with no activity.