Open Asmokin11 opened 1 month ago
I got immediately suspicious when I saw a non-standard container log parser being used:
parser containerd_default
This won't cope with multiline or partial logs I think so are those reconstructed afterwards? I wonder if every now and then you get a different format in your actual container logs on the node - you're just showing the logs without the container format around it so I'm guessing application logs. Can you check the actual log files on disk and verify the formatting there?
Yes the logs I shared above are applications logs. So the actual logs on the disk are in below format:
2024-05-27T10:45:46.381141241Z stdout F 2024-05-27 12:45:46,380 [] [INFO] [org.<text>] [<text>] - RESP_IN
2024-05-27T10:45:46.381171606Z stdout F Address: <addresss-id>
2024-05-27T10:45:46.381176803Z stdout F Content-Type: application/json
2024-05-27T10:45:46.381181208Z stdout F ResponseCode: 200
2024-05-27T10:45:46.381185641Z stdout F ExchangeId: <exchange-id>
2024-05-27T10:45:46.381190101Z stdout F Headers: {<text>}
2024-05-27T10:45:46.381194381Z stdout F Payload: {
2024-05-27T10:45:46.381198647Z stdout F "transactionStatus": "",
2024-05-27T10:45:46.381202901Z stdout F "fundsAvailable": true
2024-05-27T10:45:46.381206856Z stdout F }
2024-05-27T10:45:46.381210366Z stdout F
This again is an example of a failed multiline log parsing which happened today. Everything from "Headers:" onwards is shown in a separate log line.
The idea behind
parser containerd_default
was to have the actual log entries separated from the prefix which is being added. Then parse the logs captured in the regex group "log".
Hi, would anyone be able to assist here ?
Bug Report
Describe the bug
I have implemented multiline logging in our GKE cluster and the log parsing is correct most of the times but every now and then approximately 4-5 times in 3 hours I see logs in Cloud Logging which are not parsed as a multiline log line. When the log line is not correctly parsed, any subsequent line coming after that are skipped until the parser matches the "start_state" again.
To Reproduce
Expected behavior
The above shared log gets parsed into 2 sections: 1st log section contains:
2nd log section:
Screenshots
As seen in the attached screenshot which is for the last 3 hours, these occurrences are few but still present. On some occasions the log lines coming after the first orphaned log get skipped and the processing starts again from the next new log line.![fluentbit-log](https://github.com/fluent/fluent-bit/assets/56644272/cf94cc49-90c0-49a4-9ef7-4bdbfb7b3954)
Your Environment
fluentbit.conf:
parsers.conf:
Additional context
The parsers on most occasions parse the logs correctly but we still cannot rely fully on them due to these log line skipping and improper parsing.
fluentbit.log:
fluentbit_custom.log:
Inside the fluentbit_custom.log file I can see the below line on many occassions: