Fluent-bit: unexpected result of regex parser.
Not sure it is issue.
I got strage output with regex parser.
I use 0.11.9 version of fluent-bit
I'm trying to parse file dumped dockerd log using regex parser.
below is sample docker daemon log.
time="2017-06-22T11:36:53.223346543+09:00" level=info msg="libcontainerd: new containerd process, pid: 10366" │
time="2017-06-22T11:36:53.231136794+09:00" level=warning msg="containerd: low RLIMIT_NOFILE changing to max" current=1024 max=4096 │[2017/08/04 02:33:10] [ info] [engine] started
time="2017-06-22T11:36:54.225417748+09:00" level=warning msg="failed to rename /var/lib/docker/tmp for background deletion: %!s(<nil>). Deleting synchronously" │[2017/08/04 02:33:10] [debug] [in_tail] inotify watch fd=19
time="2017-06-22T11:36:54.313788939+09:00" level=warning msg="devmapper: Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man docker` to refer to dm.thi│[2017/08/04 02:33:10] [debug] [in_tail] scanning path /fluent-bit/var/log/dockerd.log
npooldev section." │[2017/08/04 02:33:10] [debug] [in_tail] add to scan queue /fluent-bit/var/log/dockerd.log, of
time="2017-06-22T11:36:54.340289265+09:00" level=warning msg="devmapper: Base device already exists and has filesystem xfs on it. User specified filesystem will be ignored." │fset=0
time="2017-06-22T11:36:54.455264492+09:00" level=info msg="Graph migration to content-addressability took 0.00 seconds" │[2017/08/04 02:33:10] [debug] [router] input=tail.0 'DYNAMIC TAG'
time="2017-06-22T11:36:54.455457008+09:00" level=warning msg="Your kernel does not support cgroup rt period" │[2017/08/04 02:33:10] [debug] [input tail.0] [mem buf] size = 1484
time="2017-06-22T11:36:54.455469928+09:00" level=warning msg="Your kernel does not support cgroup rt runtime" │[2017/08/04 02:33:10] [debug] [in_tail] file=/fluent-bit/var/log/dockerd.log read=2063 lines=
time="2017-06-22T11:36:54.455730672+09:00" level=info msg="Loading containers: start." │16
time="2017-06-22T11:36:54.649856426+09:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address" │[2017/08/04 02:33:10] [debug] [in_tail] file=/fluent-bit/var/log/dockerd.log promote to TAIL_
time="2017-06-22T11:36:54.728947225+09:00" level=info msg="Loading containers: done." │EVENT
time="2017-06-22T11:36:54.756435527+09:00" level=info msg="Daemon has completed initialization" │[2017/08/04 02:33:10] [debug] [task] created task=0x7f60f0a9a320 id=0 OK
time="2017-06-22T11:36:54.756473355+09:00" level=info msg="Docker daemon" commit=89658bed64 graphdriver=devicemapper version=17.05.0-ce │[2017/08/04 02:33:10] [debug] [task] destroy task=0x7f60f0a9a320 (task_id=0)
time="2017-06-22T11:36:54.761660277+09:00" level=info msg="API listen on /var/run/docker.sock" │[2017/08/04 02:33:10] [debug] [dyntag tail.0] 0x7f60f0a6d060 destroy (tag=dockerd)
time="2017-06-22T11:36:59.668637636+09:00" level=info msg="Processing signal 'interrupt'" │
time="2017-06-22T11:36:59.810694666+09:00" level=info msg="stopping containerd after receiving terminated"
and this is my parser configuration.
I confirmed it from http://rubular.com/r/X7BH0M4Ivm
[PARSER]
Name dockerd
Format regex
Regex time="(?<time>[^ ]*)" level=(?<level>[^ ]*) msg="(?<msg>[^ ].*)"
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L
and when I see its result,
there is two issues I didnt expect.
1) doulbe quote at each end of msgpack "}]
2) it parses other column which I dont want.
see ** surrounded line below.
ex) current, max, commit
[0] dockerd: [1498131413, {"level"=>"info", "msg"=>"libcontainerd: new containerd process, pid: 10366" "}]
**[1] dockerd: [1498131413, {"level"=>"warning", "msg"=>"containerd: low RLIMIT_NOFILE changing to max" current=1024 max=4096 "}]**
[2] dockerd: [1498131414, {"level"=>"warning", "msg"=>"failed to rename /var/lib/docker/tmp for background deletion: %!s(<nil>). Deleting synchronously" "}]
[3] dockerd: [1498131414, {"level"=>"warning", "msg"=>"devmapper: Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man docker` to refer to dm.thinpooldev section." "}]
[4] dockerd: [1498131414, {"level"=>"warning", "msg"=>"devmapper: Base device already exists and has filesystem xfs on it. User specified filesystem will be ignored." "}]
[5] dockerd: [1498131414, {"level"=>"info", "msg"=>"Graph migration to content-addressability took 0.00 seconds" "}]
[6] dockerd: [1498131414, {"level"=>"warning", "msg"=>"Your kernel does not support cgroup rt period" "}]
[7] dockerd: [1498131414, {"level"=>"warning", "msg"=>"Your kernel does not support cgroup rt runtime" "}]
[8] dockerd: [1498131414, {"level"=>"info", "msg"=>"Loading containers: start." "}]
[9] dockerd: [1498131414, {"level"=>"info", "msg"=>"Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address" "}]
[10] dockerd: [1498131414, {"level"=>"info", "msg"=>"Loading containers: done." "}]
[11] dockerd: [1498131414, {"level"=>"info", "msg"=>"Daemon has completed initialization" "}]
**[12] dockerd: [1498131414, {"level"=>"info", "msg"=>"Docker daemon" commit=89658bed64 graphdriver=devicemapper version=17.05.0-ce "}]**
[13] dockerd: [1498131414, {"level"=>"info", "msg"=>"API listen on /var/run/docker.sock" "}]
[14] dockerd: [1498131419, {"level"=>"info", "msg"=>"Processing signal 'interrupt'" "}]
[15] dockerd: [1498131419, {"level"=>"info", "msg"=>"stopping containerd after receiving terminated" "}]
Any Idea?
keyolk
All 5 comments
I can reproduce with v0.11.15.
On the other hand, the issue is fixed with v0.12(dev).
I don't specify which patch fixed this issue...
Could you try to test v0.12 ?
output (v0.11.15)
$ ../bin/fluent-bit -c a.conf
Fluent-Bit v0.11.15
Copyright (C) Treasure Data
[2017/08/04 18:25:16] [ info] [engine] started
[0] tail.0: [1498131413, {"level"=>"warning", "msg"=>"containerd: low RLIMIT_NOFILE changing to max" current=1024 max=4096"}]
output(v0.12)
$ ../bin/fluent-bit -c a.conf
Fluent-Bit v0.12.0
Copyright (C) Treasure Data
[2017/08/04 18:20:32] [ info] [engine] started
[0] tail.0: [1498131413.231136794, {"level"=>"warning", "msg"=>"containerd: low RLIMIT_NOFILE changing to max"}]
configuration file
[SERVICE]
Parsers_file /home/taka/git/oss/pull_req/fluentbit_env/fluent-bit/build/344/parsers.conf
[INPUT]
Name tail
path /home/taka/git/oss/pull_req/fluentbit_env/fluent-bit/build/344/log.txt
parser dockerd
[OUTPUT]
Name stdout
match *
nokute78
on 4 Aug 2017
👍1
@keyolk @nokute78
thanks for reporting and troubleshooting the problem.
I've backported some improvements of the regex handler from 0.12 to 0.11 which now fix the problem described. The fix will be part of 0.11.16.
If possible please test the latest changes from 0.11 branch.
edsiper
on 4 Aug 2017
👍1
Fixed.
edsiper
on 5 Aug 2017
@nokute78 @edsiper
I tested. And all is works well : )
Thanks all.
keyolk
on 7 Aug 2017
😄1
@keyolk thanks, I am releasing today.
edsiper
on 7 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings
Related issues
mbelchin
·
3Comments
edsiper
·
4Comments
mhf-ir
·
4Comments
jcdauchy-moodys
·
3Comments
dbluxo
·
4Comments