Fluent-bit: How to parse data as a collection of key/value pairs

Created on 20 Nov 2017  路  8Comments  路  Source: fluent/fluent-bit

Hi Guys,
I'm a little new to fluent-bit and I want to use the filter "parser" to parse a key on a log line.

Given :

A log line 

[0] os.component/abba/3594881dacb8: [1511196039.000000000, {"container_name"=>"/abba", "source"=>"stdout", "log"=>"time="2017-11-20 17:40:39" || component="EX--ABBA" || logger="/os/app/src/index.js" || type="TECHNICAL" || msg="/health endpoint ca", "container_id"=>"3594881dacb8d9d3317a6c9fc6aff2ec627ee43037fec5e609e22c6cb9cf93b7"}]

And

A parser filter with the key_name I want to parse "log"

[FILTER]
    Name parser
    Key_Name log
    Parser os_parser

And

A Parser file with content 

[PARSER]
    Name os_parser
    Format regex
    Regex <I_DONT_KNOW_THE_RIGHT_REGEX>

When

I run fluent-bit with the configuration given above

Then

I should get the following output

[3] os.component: [1511195416.002497117, {"time"=>"2017-11-20 17:22:32", "component" => "EX--ABBA", "logger" => "/os/app/src/index.js", "type"=>"TECHNICAL", "msg"=>"/health endpoint ca" }]

Do you have any idea of which regex () I could use to achieve that result ?

Thanks in advance

fixed question
Source
picture lktslionel
👍3

All 8 comments

I could contribute by creating a parser function in Go that aims to parser key/val pairs with a given separator; but I don't know how to create one not in C but in Go instead.
Thanks

lktslionel picture lktslionel on 21 Nov 2017

regexp

fluentbit supports named capture.
It can define the key name.

e.g (?<key_name>[^ ]*)

could you check this document?
http://fluentbit.io/documentation/current/parser/regular_expression.html

http://rubular.com/
is helpful to test regexp.

nokute78 picture nokute78 on 22 Nov 2017

I agree but I need to capture key_name/key_value without having to specify the key_name by its position in the log line.
The behavior I need is something similar to logstash kv plugin

Thanks

lktslionel picture lktslionel on 26 Nov 2017

Hello, @edsiper
Does your commit solves my issue ?
Thanks

lktslionel picture lktslionel on 6 Feb 2019

Hi, We also need to have a parser that allows us to extract key=value pairs without a need to defining the name and order of each field... Is there anything like that? Tons of our applications would break with this restriction!

dvlato picture dvlato on 26 Apr 2019

I came across this issue while checking the same for myself and it seems to me that the logfmt parser is what you're looking for. Please notice I still haven't tested it, but the docs seem to indicate that it's the way to go

hernandesbsousa picture hernandesbsousa on 30 Aug 2019
👍1

Thanks @hernandesbsousa ! I will try this one a let you guys, know :-)

lktslionel picture lktslionel on 14 Nov 2019

thanks everyone.

ref: https://docs.fluentbit.io/manual/parser/logfmt

edsiper picture edsiper on 28 Nov 2019
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benclive picture benclive  路  3Comments
edsiper picture edsiper  路  4Comments
tarokkk picture tarokkk  路  3Comments
edsiper picture edsiper  路  4Comments
Barbazoo picture Barbazoo  路  3Comments