fluent-bit: Grep filter doesn't work for systemd logs
Bug Report
Describe the bug Grep filter doesn’t work for fields in systemd logs.
To Reproduce
- Rubular link if applicable: https://rubular.com/r/j1QOxj0JOFBemK
- Steps to reproduce the problem:
== Config ==
[INPUT]
# https://docs.fluentbit.io/manual/input/systemd
Name systemd
Alias systemd.docker
Tag docker
Path /var/log/journal
DB /var/log/fluent-bit-k8s-node-journald-docker.db
Systemd_Filter _SYSTEMD_UNIT=docker.service
[INPUT]
# https://docs.fluentbit.io/manual/input/systemd
Name systemd
Alias systemd.kubelet
Tag kubelet
Path /var/log/journal
DB /var/log/fluent-bit-k8s-node-journald-kubelet.db
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
[INPUT]
# https://docs.fluentbit.io/manual/input/systemd
Name systemd
Alias systemd.node-journal
Tag node-journal
Path /var/log/journal
DB /var/log/fluent-bit-k8s-node-journald.db
[FILTER]
# https://docs.fluentbit.io/manual/filter/grep
Name grep
Alias remove-duplicates
Match node-journal
# Changing regex to "(docker|kubelet)\.service" or "docker|kubelet" has no effect.
Exclude _SYSTEMD_UNIT ^(docker|kubelet)\.service$
[FILTER]
# https://docs.fluentbit.io/manual/filter/stdout
Name stdout
Match *
== Result ==
stdout logs show kubelet.service and docker.service systemd logs being logged twice – once with tag kubelet|docker, and once with tag node-journal
One example is in the rubular link.
Expected behavior systemd logs get tagged with “node-journal” only if _SYSTEMD_UNIT == !(docker.service OR kubelet.service).
more specifically:
- systemd logs with _SYSTEMD_UNIT=docker.service get tagged as “docker”
- systemd logs with _SYSTEMD_UNIT=kubelet.service get tagged as “kubelet”
- systemd logs with _SYSTEMD_UNIT=[anything that’s not docker.service or kubelet.service] get tagged as “node-journal”
Your Environment
- Version used: fluent/fluent-bit:1.0.5-debug
- Environment name and version (e.g. Kubernetes? What version?): GKE (1.12.6-gke.10) cluster, with nodes running:
- OS image: Container-Optimized OS from Google
- Container runtime version: docker://17.3.2
- kubelet version: v1.12.6-gke.10
- Filters and plugins: [input] systemd, [filter] grep, stdout
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 21 (9 by maintainers)
Commits related to this issue
- filter_grep: use new regex_find() API and fix group matching (#1270) Signed-off-by: Eduardo Silva <eduardo@treasure-data.com> — committed to fluent/fluent-bit by bluebike 5 years ago
- filter_grep: use new regex_find() API and fix group matching (#1270) Signed-off-by: Eduardo Silva <eduardo@treasure-data.com> — committed to fluent/fluent-bit by bluebike 5 years ago
@qingling128 as soon as we finish fixing this issue: https://github.com/fluent/fluent-bit/issues/1278 . It’s almost done, just waiting for users-feedback.