search

repeatedly / fluent-plugin-multi-format-parser

Multi format parser for Fluentd
108 stars 16 forks source link

Multiple regexes #11

Open Pehesi97 opened 6 years ago

Pehesi97 commented 6 years ago

My fluentd config has two regexes, but only the first one will match.

This is my .conf file.

<source>
  @type http
  port 8888
</source>

## live debugging agent
<source>
  @type debug_agent
  bind 127.0.0.1
  port 24230
</source>

<source>
    @type tail
    path /Users/pedro/.pm2/logs/fv-back-out*.log
    pos_file /Users/pedro/.pm2/logs/fv-back-response.log.pos
    tag fv-back
    <parse>
        @type multi_format
        <pattern>
            format regexp
            expression /(?<time>((\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2})\.(\d{3})) (\-|\+)(\d{2}):(\d{2})), \[(?<tags>(.)*response(.)*)\] data: (?<method>[^ ]+) (?<endpoint>[^ ]+) (?<query>[^ ]+) (?<payload>[^ ]+) (?<statusCode>[^ ]+) \((?<responseTime>[^ ]+)\) (?<credentials>[^ ]+)/
            time_format %Y-%m-%d %H:%M:%S.%L
            types time:time,tags:array,statusCode:integer
        </pattern>
        <pattern>
            format regexp
            expression /(?<time>((\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2})\.(\d{3})) (\-|\+)(\d{2}):(\d{2})), \[(?<tags>((.)*error(.)*))\] data: \[(?<statusCode>.*)\] (?<type>.*): (?<message>.*)/
            time_format %Y-%m-%d %H-%M-%S.%L
                    types time:time,tags:array,statusCode:integer
        </pattern>
    </parse>
</source>

<match fv-back*>
    @type copy

    <store>
        @type elasticsearch
        host localhost
        port 9200
        logstash_format true
    </store>

    <store>
        @type s3
        aws_key_id AKIAI3BKNP4PWLJW5PMQ
        aws_sec_key hoWhK+KzAKOwKuPszBkS8099Nuu8WZKJKo516XUY
        s3_bucket softruck.pm2.logs
        s3_region us-east-1
        path /

        <buffer time>
            @type file
            path /var/log/td-agent/s3_buffer
            timekey 3600
            timekey wait 10m
            timekey_use_utc true
            chunk_limit_size 256m
        </buffer>
    </store>
</match>

<match **>
    @type null
</match>

And this 2018-08-08 16:45:05 -0300 [warn]: #0 pattern not match: "2018-08-08 16:45:04.869 -03:00, [log,api,error] data: [500] SequelizeDatabaseError: relation \"daily_courses\" does not exist" is my Fluentd log.

Rubular says my regex should pass. Is there anything I'm doing wrong?

ZhangSIming-blyq commented 4 years ago

same issue here. wait for an answer.

ggpaue commented 4 years ago

same issue here, can anyone help?

rsilva-rs commented 4 years ago

You could try this plugin: https://github.com/sesame/fluent-plugin-regexp_multi

davelosert commented 3 years ago

We are having the same issue - is there a chance this will get fixed?

ankit1mg commented 3 years ago

We are having the same issue - is there a chance this will get fixed?

+1

asdfII commented 3 years ago

We are having the same issue - is there a chance this will get fixed?

+1

cm0s commented 1 year ago

Same issue. As anyone found a solution? @rsilva-rs plugin doesn't seem to exist anymore.

repeatedly commented 1 year ago

I think this is not a bug. Issue author's problem is the mismatch between log body and time format.

Second expression matches 2018-08-08 16:45:04.869 -03:00, [log,api,error] data: [500] SequelizeDatabaseError: relation "daily_courses" does not exist but time field, 2018-08-08 16:45:04.869, is %Y-%m-%d %H:%M:%S.%L format, not %Y-%m-%d %H-%M-%S.%L. Put more <pattern> fixes this problem. If you have similar pattern not match log, check your expression/time_format combination for actual logs.