Fluent-bit: How to use few fields in grep filter?

Created on 17 May 2018  路  5Comments  路  Source: fluent/fluent-bit

I`m using fluent-bit:0.13.0, i want grep "warns", "errors" and etc. from multiple fields using grep filter. How i can do it?
This is part of my config.
filter-kubernetes.conf: | [FILTER] Name kubernetes Match kube.* Kube_URL https://kubernetes.default.svc.cluster.local:443 Merge_JSON_Log On tls.verify Off tls.debug 4 [FILTER] Name grep Match kube.* Regex log|msg (?i)warn|error|exception|critical|warning|err
How to grep from "log" and "msg" field if they comply regex?

question
Source
picture bat9r

Most helpful comment

A workaround might be (on 0.14 - currently unreleased) to apply the modify filter twice with conditions. This allows you to create an OR condition where a record is tagged with k/v _keep:true_ if it matches either condition. You can then apply the grep filter to keep or drop the record based on that k/v.

   [FILTER]
       Name           modify
       Match          kube.*
       Condition      Key_value_matches log REGEX_TO_MATCH
       Set            keep true

   [FILTER]
       Name           modify
       Match          kube.*
       Condition      Key_value_matches msg REGEX_TO_MATCH
       Set            keep true

   [FILTER]
       Name           grep
       Match          kube.*
       Regex          keep true
picture michiel on 17 Jul 2018
👍2

All 5 comments

@bat9r It depends on the format of your incoming logs, I would put the grep filter before kubernetes filter, so you let pass the only ones you care about.

edsiper picture edsiper on 30 May 2018

@edsiper
Thank you for answer.
Soo, i can't "care about" for two fields? Or i could do it from other side (an application which aggregate logs)?

bat9r picture bat9r on 1 Jun 2018

A workaround might be (on 0.14 - currently unreleased) to apply the modify filter twice with conditions. This allows you to create an OR condition where a record is tagged with k/v _keep:true_ if it matches either condition. You can then apply the grep filter to keep or drop the record based on that k/v.

   [FILTER]
       Name           modify
       Match          kube.*
       Condition      Key_value_matches log REGEX_TO_MATCH
       Set            keep true

   [FILTER]
       Name           modify
       Match          kube.*
       Condition      Key_value_matches msg REGEX_TO_MATCH
       Set            keep true

   [FILTER]
       Name           grep
       Match          kube.*
       Regex          keep true
michiel picture michiel on 17 Jul 2018
👍2

@michiel Thank you, great idea :)

bat9r picture bat9r on 28 Sep 2018

I`m using fluent-bit:0.13.0, i want grep "warns", "errors" and etc. from multiple fields using grep filter. How i can do it?
This is part of my config.

filter-kubernetes.conf: |
   [FILTER]
       Name           kubernetes
       Match          kube.*
       Kube_URL       https://kubernetes.default.svc.cluster.local:443
       Merge_JSON_Log On
       tls.verify     Off
       tls.debug      4
   [FILTER]
       Name           grep
       Match          kube.*
       Regex          log|msg (?i)warn|error|exception|critical|warning|err

How to grep from "log" and "msg" field if they comply regex?

Hi @bat9r ,
does line Regex log|msg (?i)warn|error|exception|critical|warning|err mean that I want to filter the message where either log or msg field is among warn|error|exception|critical|warning|err.
If yes, I wanted to filter the logs where container_name is either nifi or redis I used below config, which doesnt seem to work
Regex CONTAINER_NAME nifi | redis
any suggestion ?

viveksinghggits picture viveksinghggits on 19 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tarokkk picture tarokkk  路  3Comments
Barbazoo picture Barbazoo  路  3Comments
dbluxo picture dbluxo  路  4Comments
thrift24 picture thrift24  路  4Comments
edsiper picture edsiper  路  4Comments