1apiVersion: fluentbit.fluent.io/v1alpha2
2kind: ClusterParser
3metadata:
4 name: xinit
5 labels:
6 fluentbit.fluent.io/enabled: "true"
7spec:
8 regex:
9 # Logs from xinit loosely follow this format:
10 #
11 # [time] (level) message e.g. [1249124.123] (II) Running X session wrapper
12 #
13 # We group time, level and message. The following markers represent level:
14 #
15 # (--) probed, (**) from config file, (==) default setting,
16 # (++) from command line, (!!) notice, (II) informational,
17 # (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
18 #
19 # Each group is optional, with differing padding any amount of padding around each. This
20 # leads to many log formats to account for:
21 #
22 # [time] message e.g. [1249124.123] Running X session wrapper
23 # e.g. [1249124.123] Running X session wrapper
24 # [time] (level) e.g. [1249124.123] (II)
25 # (level) message e.g. (EE) no screens found
26 # [time] e.g. [1249124.123]
27 # (level) e.g. (EE)
28 # message e.g. Running X session wrapper
29 #
30 # Note: we do not account for multi-line messages as there seems no real structure to how
31 # this is done, so we can't create a pattern to represent it. This means multi-line messages
32 # are split into multiple log entries.
33 #
34 # For errors, this can mean subsequent lines are reported as info logs if they do not also
35 # have the (EE) marker. As only error logs are synced to GCP we can miss some error messages,
36 # but generally the first line is enough to be useful.
37 regex: '^(\[(?<time>\d+.\d+)\]){0,1}[ .]*(\((?<level>[-*=+!IWENI?]{2})\)){0,1} *(?<message>[^{].*){0,1}$'
View as plain text