apiVersion: fluentbit.fluent.io/v1alpha2 kind: ClusterParser metadata: name: xinit labels: fluentbit.fluent.io/enabled: "true" spec: regex: # Logs from xinit loosely follow this format: # # [time] (level) message e.g. [1249124.123] (II) Running X session wrapper # # We group time, level and message. The following markers represent level: # # (--) probed, (**) from config file, (==) default setting, # (++) from command line, (!!) notice, (II) informational, # (WW) warning, (EE) error, (NI) not implemented, (??) unknown. # # Each group is optional, with differing padding any amount of padding around each. This # leads to many log formats to account for: # # [time] message e.g. [1249124.123] Running X session wrapper # e.g. [1249124.123] Running X session wrapper # [time] (level) e.g. [1249124.123] (II) # (level) message e.g. (EE) no screens found # [time] e.g. [1249124.123] # (level) e.g. (EE) # message e.g. Running X session wrapper # # Note: we do not account for multi-line messages as there seems no real structure to how # this is done, so we can't create a pattern to represent it. This means multi-line messages # are split into multiple log entries. # # For errors, this can mean subsequent lines are reported as info logs if they do not also # have the (EE) marker. As only error logs are synced to GCP we can miss some error messages, # but generally the first line is enough to be useful. regex: '^(\[(?