You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: administration/configuring-fluent-bit/yaml/multiline-parsers-section.md
+16-4Lines changed: 16 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,19 @@
1
1
# Multiline parsers
2
2
3
-
Multiline parsers are used to combine logs that span multiple events into a single, cohesive message. Use this parser for handling stack traces, error logs, or any log entry that contains multiple lines of information.
3
+
You can define custom [multiline parsers](../pipeline/parsers/multiline-parsing.md) in the `multiline_parsers` section of YAML configuration files.
4
4
5
-
In YAML configuration, the syntax for defining multiline parsers differs slightly from the classic configuration format introducing minor breaking changes, specifically on how the rules are defined.
5
+
{% hint style="info" %}
6
6
7
-
The following example demonstrates how to define a multiline parser directly in the main configuration file, and how to include additional definitions from external files:
7
+
To define standard custom parsers, use [the `parsers` section](../administration/configuring-fluent-bit/yaml/parsers-section.md) of YAML configuration files.
8
+
9
+
{% endhint %}
10
+
11
+
## Syntax
12
+
13
+
To define customers parsers in the `multiline_parsers` section of a YAML configuration file, use the following syntax:
14
+
15
+
{% tabs %}
16
+
{% tab title="fluent-bit.yaml" %}
8
17
9
18
```yaml
10
19
multiline_parsers:
@@ -20,6 +29,9 @@ multiline_parsers:
20
29
next_state: cont
21
30
```
22
31
32
+
{% endtab %}
33
+
{% endtabs %}
34
+
23
35
This example defines a multiline parser named `multiline-regex-test` that uses regular expressions to handle multi-event logs. The parser contains two rules: the first rule transitions from `start_state` to cont when a matching log entry is detected, and the second rule continues to match subsequent lines.
24
36
25
-
For more detailed information on configuring multiline parsers, including advanced options and use cases, refer to the Configuring Multiline Parsers documentation.
37
+
For information about supported configuration options for custom multiline parsers, see [configuring multiline parsers](./pipeline/parsers/multiline-parsing.md#configuring-multiline-parsers).
Copy file name to clipboardExpand all lines: pipeline/filters/multiline-stacktrace.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ Along with multiline filters, you can enable one of the following built-in Fluen
15
15
16
16
When using this filter:
17
17
18
-
- The usage of this filter depends on a previous configuration of a [multiline parser](../../administration/configuring-fluent-bit/multiline-parsing.md) definition.
18
+
- The usage of this filter depends on a previous configuration of a [multiline parser](../pipeline/parsers/multiline-parsing.md) definition.
19
19
- To concatenate messages read from a log file, it's highly recommended to use the multiline support in the [Tail plugin](https://docs.fluentbit.io/manual/pipeline/inputs/tail#multiline-support) itself. This is because performing concatenation while reading the log file is more performant. Concatenating messages that were originally one line, but split by Docker or CRI container engines because of their size, is supported in the [Tail plugin](https://docs.fluentbit.io/manual/pipeline/inputs/tail#multiline-support) in combination with the `docker` or `cri` parser. To concatenate application logs like stacktraces on top of that, you can use this multiline filter.
20
20
21
21
{% hint style="warning" %}
@@ -40,7 +40,7 @@ The plugin supports the following configuration parameters:
40
40
41
41
| Property | Description |
42
42
| -------- | ----------- |
43
-
|`multiline.parser`| Specify one or multiple [Multiline Parser definitions](../../administration/configuring-fluent-bit/multiline-parsing.md) to apply to the content. You can specify multiple multiline parsers to detect different formats by separating them with a comma. |
43
+
|`multiline.parser`| Specify one or multiple [Multiline Parser definitions](../pipeline/parsers/multiline-parsing.md) to apply to the content. You can specify multiple multiline parsers to detect different formats by separating them with a comma. |
44
44
|`multiline.key_content`| Key name that holds the content to process. A multiline parser definition can specify the `key_content` This option allows for overwriting that value for the purpose of the filter. |
45
45
|`mode`| Mode can be `parser` for regular expression concatenation, or `partial_message` to concatenate split Docker logs. |
46
46
|`buffer`| Enable buffered mode. In buffered mode, the filter can concatenate multiple lines from inputs that ingest records one by one (like Forward), rather than in chunks, re-emitting them into the beginning of the pipeline (with the same tag) using the `in_emitter` instance. With buffer off, this filter won't work with most inputs, except Tail. |
@@ -68,7 +68,7 @@ service:
68
68
flush: 1
69
69
log_level: info
70
70
parsers_file: parsers_multiline.yaml
71
-
71
+
72
72
pipeline:
73
73
inputs:
74
74
- name: tail
@@ -157,10 +157,10 @@ This file defines a multiline parser for the example. A second multiline parser
157
157
# Regex rules for multiline parsing
158
158
# ---------------------------------
159
159
#
160
-
# configuration hints:
160
+
# configuration hints:
161
161
#
162
162
# - first state always has the name: start_state
163
-
# - every field in the rule must be inside double quotes
163
+
# - every field in the rule must be inside double quotes
@@ -314,7 +314,7 @@ Lines that don't match a pattern aren't considered as part of the multiline mess
314
314
315
315
## Docker partial message use case
316
316
317
-
When Fluent Bit is consuming logs from a container runtime, such as Docker, these logs will be split when larger than a certain limit, usually 16 KB.
317
+
When Fluent Bit is consuming logs from a container runtime, such as Docker, these logs will be split when larger than a certain limit, usually 16 KB.
318
318
If your application emits a 100K log line, it will be split into seven partial messages. The docker parser will merge these back to one line. If instead you are using the [Fluentd Docker Log Driver](https://docs.docker.com/config/containers/logging/fluentd/) to send the logs to Fluent Bit, they might look like this:
Copy file name to clipboardExpand all lines: pipeline/inputs/tail.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -158,9 +158,9 @@ Multiline core is exposed by the following configuration:
158
158
159
159
| Key | Description |
160
160
|:-------------------|:---------------|
161
-
|`multiline.parser`| Specify one or multiple [Multiline Parser definitions](../../administration/configuring-fluent-bit/multiline-parsing.md) to apply to the content. |
161
+
|`multiline.parser`| Specify one or multiple [Multiline Parser definitions](../pipeline/parsers/multiline-parsing.md) to apply to the content. |
162
162
163
-
[Multiline Parser](../../administration/configuring-fluent-bit/multiline-parsing.md) provides built-in configuration modes. When using a new `multiline.parser` definition, you must disable the old configuration from your tail section like:
163
+
[Multiline Parser](../pipeline/parsers/multiline-parsing.md) provides built-in configuration modes. When using a new `multiline.parser` definition, you must disable the old configuration from your tail section like:
Copy file name to clipboardExpand all lines: pipeline/parsers/multiline-parsing.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,11 +4,11 @@
4
4
5
5
In an ideal world, applications might log their messages within a single line, but in reality applications generate multiple log messages that sometimes belong to the same context. Processing this information can be complex, like in application stack traces, which always have multiple log lines.
6
6
7
-
Fluent Bit v1.8 implemented a unified Multiline core capability to solve corner cases.
7
+
Multiline parsers are used to combine logs that span multiple events into a single, cohesive message. Use this parser for handling stack traces, error logs, or any log entry that contains multiple lines of information.
8
8
9
9
## Concepts
10
10
11
-
The Multiline parser engine exposes two ways to configure and use the feature:
11
+
The multiline parser engine exposes two ways to configure and use the feature:
12
12
13
13
- Built-in multiline parser
14
14
- Configurable multiline parser
@@ -26,13 +26,15 @@ Fluent Bit exposes certain pre-configured parsers (built-in) to solve specific m
26
26
|`python`| Process log entries generated by a Python-based language application and perform concatenation if multiline messages are detected. |
27
27
|`ruby`| Process log entries generated by a Ruby-based language application and perform concatenation if multiline messages are detected. |
28
28
29
-
### Configurable multiline parsers
29
+
### Configuring multiline parsers
30
30
31
-
You can define your own Multiline parsers with their own rules, using a configuration file.
31
+
Custom multiline parsers support the following configuration parameters.
32
32
33
-
A multiline parser is defined in a `parsers configuration file` by using a `[MULTILINE_PARSER]` section definition. The multiline parser must have a unique name and a type, plus other configured properties associated with each type.
33
+
{% hint style="info" %}
34
+
35
+
To define a custom multiline parser, add an entry to the [`multiline_parsers` section](../configuring-fluent-bit/yaml/multiline-parsers-section.md) of your YAML configuration file.
34
36
35
-
To understand which multiline parser type is required for your use case you have to know the conditions in the content that determine the beginning of a multiline message, and the continuation of subsequent lines. Fluent Bit provides a regular expression-based configuration that supports states to handle from the most cases.
37
+
{% endhint %}
36
38
37
39
| Property | Description | Default |
38
40
| -------- | ----------- | ------- |
@@ -43,7 +45,7 @@ To understand which multiline parser type is required for your use case you have
43
45
|`negate`| Negate the pattern matching result. When set to `true`, a non-matching line is treated as matching. |`false`|
44
46
|`parser`| Name of a pre-defined parser that must be applied to the incoming content before applying the regular expression rule. If no parser is defined, it's assumed that's a raw text and not a structured message. When a parser is applied to a raw text, the regular expression is applied against a specific key of the structured message by using the `key_content` configuration property. |_none_|
45
47
|`rule`| Configure a rule to match a multiline pattern. The rule has a [specific format](#rules-definition). Multiple rules can be defined. Only used with `regex` type. |_none_|
46
-
|`type`| Set the multiline mode. Fluent Bit supports `regex`, `endswith`, and `equal` (or `eq`). |_none_|
48
+
|`type`| Set the multiline mode. Fluent Bit supports `regex`, `endswith`, and `equal` (or `eq`). To understand which multiline parser type is required for your use case you have to know the conditions in the content that determine the beginning of a multiline message, and the continuation of subsequent lines. Fluent Bit provides a regular expression-based configuration that supports states to handle from the most cases. |_none_|
0 commit comments