我正在尝试让Fluentd使用in_tail解析来自Docker日志记录驱动程序的Java堆栈跟踪,并将其作为单个消息发出。
对于我的一生,无法弄清楚为什么它仍然将他们分开。
这是一个示例输入,正在写入文件:
2015-12-17T19:19:47+00:00 docker.java.ubuntu:15.10 {"log":"Exception in thread main java.lang.NullPointerException\r","container_id":"5a064eb23465350a11fe00b1f7787f5bd3e9f0182dd44c09516a72ab4006bd54","container_name":"/src-test_1.0.0.353_989549167.1","source":"stdout"}
2015-12-17T19:19:47+00:00 docker.java.ubuntu:15.10 {"container_id":"5a064eb23465350a11fe00b1f7787f5bd3e9f0182dd44c09516a72ab4006bd54","container_name":"/src-test_1.0.0.353_989549167.1","source":"stdout","log":" at com.example.myproject.Book.getTitle(Book.java:16)\r"}
2015-12-17T19:19:47+00:00 docker.java.ubuntu:15.10 {"container_name":"/src-test_1.0.0.353_989549167.1","source":"stdout","log":" at com.example.myproject.Author.getBookTitles(Author.java:25)\r","container_id":"5a064eb23465350a11fe00b1f7787f5bd3e9f0182dd44c09516a72ab4006bd54"}
2015-12-17T19:19:47+00:00 docker.java.ubuntu:15.10 {"container_id":"5a064eb23465350a11fe00b1f7787f5bd3e9f0182dd44c09516a72ab4006bd54","container_name":"/src-test_1.0.0.353_989549167.1","source":"stdout","log":" at com.example.myproject.Bootstrap.main(Bootstrap.java:14)\r"}
2015-12-17T19:19:47+00:00 docker.java.ubuntu:15.10 {"container_id":"5a064eb23465350a11fe00b1f7787f5bd3e9f0182dd44c09516a72ab4006bd54","container_name":"/src-test_1.0.0.353_989549167.1","source":"stdout","log":"test\r"}
这是我用于in_tail的配置:
<source>
@type tail
tag docker.multiline
path /tmp/fluent/java*
pos_file /tmp/fluent/log.pos
refresh_interval 10
format multiline
format first_line /.*\"log\":\"[^\s].*/
format /\"log\":\"(?<message>.+)\\r/
</source>
正则表达式对我来说是正确的,当我将它们插入正则表达式测试仪时,first_line正则表达式仅匹配示例的第一行和最后一行,而正则表达式格式匹配每一行,但仅捕获堆栈跟踪信息,因为期待。但是,它们都是作为单独的消息发出的,几乎就像first_line匹配每行,而不是第一行和最后一行。
最佳答案
根据https://docs.fluentd.org/v0.12/articles/parser_multiline,配置键应为format_firstline和format(而不是format first_line和format)。
关于regex - 来自Docker的流畅捕获堆栈跟踪,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/34342820/