parsers: Support CRI-O and containerd #881
Conversation
See fluent#876 and fluent#873 Signed-off-by: Steve Coffman <[email protected]>
StevenACoffman
force-pushed
the
master
branch
from
9019194 to
6471706
Compare
|
@StevenACoffman are we ok to merge this one ? |
edsiper
added
enhancement
waiting-for-user
|
@kskewes If you get a chance to run this through ElasticSearch, I would appreciate a comment with the output for documentation purposes. I have tested it with Kafka output and it works fine, but don't have an ElasticSearch cluster setup. |
conf/parsers.conf
Outdated
| Format Regex | ||
| Regex /^(?<time>.+)\b(?<stream>stdout|stderr)\b(?<log>.*)$/ | ||
| Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$ | ||
| Time_Key time | ||
| Time_Format %Y-%m-%dT%H:%M:%S.%N%:z |
There was a problem hiding this comment.
Is this okay? %N and %:z
Should it be this?
%Y-%m-%dT%H:%M:%S.%L%z
There was a problem hiding this comment.
The colon appears wrong. What is %L? Is it milliseconds as a decimal number [000, 999]? I don't see %L in the strptime documentation. I think I got %N from unix date man page.
The timestamps I see follow this format:
2016-02-17T00:04:05.931087621Z
With both your suggestions I see them in Kafka fine. Perhaps that's why I needed the Time_Keep On before?
There was a problem hiding this comment.
Indeed wrt %L.
It's not in that documentation but appears to be a custom fluent bit option for nano seconds.
See bottom of this page: https://fluentbit.io/documentation/0.14/parser/
conf/parsers.conf
Outdated
| # http://rubular.com/r/izM6olvshn | ||
| Name crio | ||
| # http://rubular.com/r/tjUt3Awgg4 | ||
| Name cri | ||
| Format Regex |
There was a problem hiding this comment.
We could make this regex although there was a commit to make this case insensitive merged.
conf/parsers.conf
Outdated
| Format Regex | ||
| Regex /^(?<time>.+)\b(?<stream>stdout|stderr)\b(?<log>.*)$/ | ||
| Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$ | ||
| Time_Key time | ||
| Time_Format %Y-%m-%dT%H:%M:%S.%N%:z | ||
| Time_Keep On |
There was a problem hiding this comment.
Time_Keep On seems to break Elasticsearch for me. Could be my K8s filter or ES output?
Fluent-Bit logs this error.
[2018/11/03 19:26:13] [ warn] [out_es] Elasticsearch error
{"took":150,"errors":true,"items":[{"index":{"_index":"logstash-2018.11.03","_type":"flb_type","_id":"_vEK22YBtlziBPpiPhwA","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"i_o_exception","reason":"Duplicate field 'time'\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@2d5483; line: 1, column: 43]"}}}},{"index":{"_index":"logstash-2018.11.03","_type":"flb_type","_id":"__EK22YBtlziBPpiPhwA","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"i_o_exception","reason":"Duplicate field 'time'\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@4988de6b; line: 1, column: 43]"}}}},{"index":{"_index":"logstash-2018.11.03","_type":"flb_type","_id":"APEK22YBtlziBPpiPh0A","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse","caused_b
There was a problem hiding this comment.
Doesn't make a difference for my use case, so I can happily remove that
There was a problem hiding this comment.
Thanks. Do you end up with additional time fields in Kafka?
I can also remove locally and wonder if one of the maintainers or someone with more experience with this field can advise. I haven't been able to grok the use case.
|
With above changes I get this in Elasticsearch: |
StevenACoffman
force-pushed
the
master
branch
from
63ef172 to
cf53fba
Compare
Signed-off-by: Steve Coffman <[email protected]>
StevenACoffman
force-pushed
the
master
branch
from
cf53fba to
291f836
Compare
|
Argh. My parser configuration is applied via a configmap, rather than what is baked into the docker image, so I tried copy pasting what I was running in my cluster using my phone yesterday. That was ill-advised, and I'm sorry for the confusion. This corrects the mistake. Thank you @kskewes |
|
That would be tricky! |
|
@edsiper This is okay to merge now. |
|
thanks! |
* pipelines: inputs: exec_wasi: Add document for in_exec_wasi plugin Signed-off-by: Hiroshi Hatake <[email protected]> * summary: Add Exec Wasi section Signed-off-by: Hiroshi Hatake <[email protected]> * pipelines: filters: wasm: Add document for filter_wasm plugin Signed-off-by: Hiroshi Hatake <[email protected]> * summary: Add wasm section Signed-off-by: Hiroshi Hatake <[email protected]> Signed-off-by: Hiroshi Hatake <[email protected]>
See #876 and #873
If a single character is detected, consider this the log tag for the line.
This is a part of the multiline handling for cri-o logs.
Example Fluent-bit log line on disk:
Example Elasticsearch JSON document: