apiVersion: fluentbit.fluent.io/v1alpha2
kind: ClusterParser
metadata:
  name: xinit
  labels:
    fluentbit.fluent.io/enabled: "true"
spec:
  regex:
    # Logs from xinit loosely follow this format:
    #
    # [time] (level) message e.g. [1249124.123] (II) Running X session wrapper
    #
    # We group time, level and message. The following markers represent level:
    #
    #  (--) probed, (**) from config file, (==) default setting,
    #  (++) from command line, (!!) notice, (II) informational,
    #  (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
    #
    # Each group is optional, with differing padding any amount of padding around each. This 
    # leads to many log formats to account for:
    #
    # [time] message  e.g. [1249124.123] Running X session wrapper
    #                 e.g. [1249124.123]    Running X session wrapper
    # [time] (level)  e.g. [1249124.123] (II)
    # (level) message e.g. (EE) no screens found
    # [time]          e.g. [1249124.123]
    # (level)         e.g. (EE)
    # message         e.g. Running X session wrapper
    #
    # Note: we do not account for multi-line messages as there seems no real structure to how 
    # this is done, so we can't create a pattern to represent it. This means multi-line messages
    # are split into multiple log entries.
    #
    # For errors, this can mean subsequent lines are reported as info logs if they do not also
    # have the (EE) marker. As only error logs are synced to GCP we can miss some error messages, 
    # but generally the first line is enough to be useful.
    regex: '^(\[(?<time>\d+.\d+)\]){0,1}[ .]*(\((?<level>[-*=+!IWENI?]{2})\)){0,1} *(?<message>[^{].*){0,1}$'