如何根据日志有效负载中的某些关键字更改Fluentd中日志消息的严重性级别(INFO,ERROR,WARNING等)?
[英]How to change the severity level (INFO, ERROR, WARNING, etc.) of log message in Fluentd based on some keyword in the log payload?
问题描述
I really hope somebody would help me out with this question, as I have been trying to figure it out for days. 
我真的希望有人会帮我解决这个问题,因为我已经尝试了好几天了。
I have container running in kubernetes in GKE. 我在GKE的kubernetes中运行了容器。 In /var/log/containers/my_container.log, I have something like this (among some other logs with different formats): 在/var/log/containers/my_container.log中,我有类似的内容(其他一些格式不同的日志中):
{"log":"17-Oct-2017;04:36:29.744 : [main] [server:] [id:] [yt:] ERROR no.myproject.service.Server - call failed for some reason\n","stream":"stdout","time":"2017-10-17T04:36:29.750702216Z"}
This log appears on Stackdriver (Fluentd output in GKE) as INFO log and like: 此日志以INFO日志的形式显示在Stackdriver(GKE中的有效输出)上,如下所示:
23:02:32.000 17-Oct-2017;04:36:29.744 : [main] [server:] [id:] [yt:] ERROR no.myproject.service.Server - call failed for some reason
So 所以
23:02:32.000
is added to it (which is the normal behavior of Stackdriver). 添加到它(这是Stackdriver的正常行为)。 I will refer to this format as format 2. 我将这种格式称为格式2。
As this log message actually is an ERROR log message (based on its payload content) I want it to appear as ERROR in Stackdriver (Fluentd). 由于此日志消息实际上是一个ERROR日志消息(基于其有效负载内容),我希望它在Stackdriver(Fluentd)中显示为ERROR。
I am trying: 我在尝试:
<filter reform.**>
type parser
format /^(?<time>\d{2} [^\s]*) : (?<message2>[^ \]]*)\] (?<message3>[^ \]]*)\] (?<message4>[^ \]]*)\] (?<message5>[^ \]]*)\] (?<severity>\w)\s+(?<log2222>.*)/
reserve_data true
suppress_parse_error_log false
key_name log
</filter>
hoping to get the severity of the message change to ERROR and also getting the content of the [..] fields in the log as some new key/values (in this case message2: main, etc). 希望将消息的严重性更改为ERROR,并希望将日志中[..]字段的内容作为一些新的键/值(在本例中为message2:main等)获得。
But after adding this filter to my config file, the output logs are still as before and I don't see any change. 但是在将此过滤器添加到我的配置文件后,输出日志仍然像以前一样,并且看不到任何变化。
What am I missing? 我想念什么? When I am writting my Regex pattern, I am not sure if I actually should consider the "log" field of the message in the log file in kubernetes or the one that I called format 2 (with the time added to it - on Stackdriver). 当我编写正则表达式模式时,不确定是否应该考虑在kubernetes日志文件中还是在我称为格式2的日志文件中添加消息的“ log”字段(添加了时间-在Stackdriver上) 。
I would really appreciate any advice, it would be a great help. 我真的很感谢任何建议,这将是很大的帮助。
1 个解决方案
解决方案1
0 已采纳 2017-10-17 10:07:40
I don't know the tool you're using, but it looks like first part of your regex does not match the exact format of the prefixed time in your log string. 我不知道您使用的工具是什么,但看起来正则表达式的第一部分与日志字符串中前缀时间的确切格式不匹配。
Actually \\d{2} will only match 2 digits. 实际上\\d{2}仅匹配2位数字。
To match the entire time prefix you may use (?:\\d{2}:){2}\\d{2}\\.\\d{3} instead. 要匹配整个时间前缀,可以改用(?:\\d{2}:){2}\\d{2}\\.\\d{3} 。
One additional point regarding severity: you wrote (?<severity>\\w) which captures only one word character. 关于严重性的另一点是:您编写的(?<severity>\\w)仅捕获一个单词字符。 You may use (?<severity>\\w+) to match several characters. 您可以使用(?<severity>\\w+)匹配多个字符。
Your regex would then become: 您的正则表达式将变为:
^(?<time>(?:\d{2}:){2}\d{2}\.\d{3} [^\s]*) : (?<message2>[^ \]]*)\] (?<message3>[^ \]]*)\] (?<message4>[^ \]]*)\] (?<message5>[^ \]]*)\] (?<severity>\w+)\s+(?<log2222>.*)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.