I want to apply concat filter to the logs of a java app that is deployed on Kubernetes to concatenate multiline logs (not only exceptions) into one log event..
This is the final working version after fixing the problems.
The idea is to add a label to the deployment
metadata:
...
spec:
...
template:
metadata:
labels:
logtype: springboot
Fluentd config:
# rewrite tag of events with kubernetes label kubernetes.labels.logtype=springboot
#
# it is important to change the tag. If the tag is not modified the event will be
# reemitted with the same tag and matched again by the rewrite tag filter -> infinite loop
<match kubernetes.var.log.containers.**>
@type rewrite_tag_filter
@log_level debug
<rule>
key $.kubernetes.labels.logtype
pattern /^springboot$/
tag springboot.${tag}
</rule>
# the rewrite tag filter is an event sink. Events that are not reemitted by the plugin
# are gone. So we need a catch-all rule to reemitt any event that is not caught
# by the spring boot rule.
<rule>
key log
pattern /^.*$/
# and the tag must be changed so that the event will skip the rewrite filter after reemitting
tag unmatched.${tag}
</rule>
</match>
# Handle multiline logs for springboot logs.
<filter springboot.**>
@type concat
key log
separator ""
multiline_start_regexp /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}\ (ERROR|WARN|INFO|DEBUG|TRACE)/
</filter>
<match **/>
- this either has a typo or it's an invalid fluentd config<match **>
will match the rewritten tag as well, before it gets to <match springboot.**>
. To avoid this, put match spring boot before the **
match, or shrink the **
match to what is coming from the kube, e.g. <match kube.**>
. Re-tagged events are injected back to the begging of the pipeline, and go thru its parts in the order they appear in a config.