Join Docker log lines when they are split because of size #6967
Conversation
exekias
force-pushed
the
docker-multiline
branch
from
c5ef925 to
91ca896
Compare
| return message, err | ||
| } | ||
| // Handle multiline messages, join lines that don't end with \n | ||
| for message.Content[len(message.Content)-1] != byte('\n') { |
There was a problem hiding this comment.
Should we enable this first through a config option and have it as default later on? This would allow us to start playing around with it.
@exekias I'm glad we have the docker prospector ;-)
There was a problem hiding this comment.
That's a great idea, I'll add it
|
@ruflin I added the |
exekias
force-pushed
the
docker-multiline
branch
from
285a44e to
691cf74
Compare
| ===== `containers.partial` | ||
|
|
||
| Enable partial messages joining. Docker splits log lines larger than 16k bytes, enable this | ||
| to join them while reading (default: false). |
There was a problem hiding this comment.
I think it would be useful to specify that it works by joining lines that don't end with \n.
There was a problem hiding this comment.
uhm that's something specific to the json-file format, it's not the user who adds the \n. Do you think it's worth it? If yes, I would explain the whole story about how the format works
There was a problem hiding this comment.
I thought this whole input was specific to json-file log driver?
I do think it's useful for the user to understand what's happening if for nothing else than to avoid questions on the subject. I would add the info it's simple to explain, but if the explanation is complicated I wouldn't put it in the docs because it could confuse users.
|
Code LGTM. For the config I was thinking to put it outside Naming wise I was thinking if we could find a name that is more directed into what it does instead of what problem it solves. So instead of |
|
👍 How about |
|
👍 on combine_partials. I just realised the the docker input is still in experimental, so we could already turn it on by default and see what happens. Still good to have a config option so in case things go wrong, we can turn it off. |
|
I've renamed the flag to |
|
@exekias Could you rebase and squash your PR when updating the config file and update the commit and PR message? |
Docker `json-file` driver splits lines longer than 16k bytes, this change adapts the code to detect that situation and join them again to output a single event. This behavior is enabled by default, it can be disabled by using the new `combine_partials` flag. Fixes elastic#6605
|
done! |
|
nice! |
Docker `json-file` driver splits lines longer than 16k bytes, this change adapts the code to detect that situation and join them again to output a single event. This behavior is enabled by default, it can be disabled by using the new `combine_partials` flag. Fixes elastic#6605
Docker `json-file` driver splits lines longer than 16k bytes, this change adapts the code to detect that situation and join them again to output a single event. This behavior is enabled by default, it can be disabled by using the new `combine_partials` flag. Fixes elastic#6605
|
When should be available? version 6.4? |
|
That's correct, it should be available by 6.4 |
|
@exekias This was not released with 6.3.0 today right? |
|
?! hope it was.... really need this |
|
Whats the eta on 6.4? |
|
I'm afraid this didn't make it to 6.3.0, it should be available with |
|
As Carlos mentioned we normally don't backport any features and I don't think we can qualify it as a bug. The biggest worry with backporting is that it could break something that works now which can always happen. I personally would prefer to not backport but make sure it is as stable as possible in 6.4. |
|
So the cadence is roughly quarterly and we can expect 6.4 in 3 months or so? |
|
We don't give an estimates on the release dates ;-) If you want to test / use the feature we have some snapshots available: https://beats-package-snapshots.s3.amazonaws.com/index.html?prefix=filebeat/ |
|
so 3 more months? |
|
Is it possible to use existing multiline match parameters to replicate this functionality? |
|
We are running a fork of this fix, but in the for loop, we are noticing that it doesnt catch EOF of files and will sometimes exit half way through processing a long line. This means that the currently-processed partial log line will not have been completely processed. Later, when the next part of the now-half-processed log line arrives in the tailed log file, filebeat will fail to parse it. . Specifically, the following check will fail: Below is the parse error we see We have added a retry if io.EOF is reached for now, but im wondering whether the backoff code, that ive seen in other parts of the code, is getting into this bit of the code, or whether it should. |
|
Hi @wallies, thank you for your feedback, and thank you for testing unreleased features! Could you please open a new issue for this one (or pull request 😉)? happy to discuss it there and try to fix it for 6.4 |
|
@ruflin it's been |
|
@towolf It will be released with the rest of the stack in 6.4 hopefully pretty soon. |
Docker
json-filedriver splits lines longer than 16k bytes, thischange adapts the code to detect that situation and join them again to
output a single event.
This behavior is enabled by default, it can be disabled by using the new
combine_partialsflag.Fixes #6605