https://github.com/fluent/fluent-plugin-parser-cri

CRI log parser for Fluentd
https://github.com/fluent/fluent-plugin-parser-cri

Last synced: 8 months ago
JSON representation

CRI log parser for Fluentd

• Host: GitHub
• URL: https://github.com/fluent/fluent-plugin-parser-cri
• Owner: fluent
• License: apache-2.0
• Created: 2020-12-18T01:01:52.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2023-09-12T01:24:34.000Z (over 2 years ago)
• Last Synced: 2025-06-08T16:08:27.368Z (9 months ago)
• Language: Ruby
• Size: 21.5 KB
• Stars: 34
• Watchers: 17
• Forks: 9
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# fluent-plugin-parser-cri

[Fluentd](https://fluentd.org/) parser plugin to parse CRI logs.

CRI logs consist of `time`, `stream`, `logtag` and `message` parts like below:

```

2020-10-10T00:10:00.333333333Z stdout F Hello Fluentd

time: 2020-10-10T00:10:00.333333333Z

stream: stdout

logtag: F

message: Hello Fluentd

```

## Installation

### RubyGems

```

$ gem install fluent-plugin-parser-cri --no-document

```

## Configuration

* **merge_cri_fields** (bool) (optional): Put `stream`/`logtag` fields or not when `` section is specified. Default is `true`

### \ section (optional)

Same as [parser plugin configuration](https://docs.fluentd.org/configuration/parse-section).

```aconf

  @type cri

  

    @type json

  

```

This nested `` is used for parsing `message` part.

## Log and configuration example

### Basic case

```aconf

  @type cri

```

With this configuration, following CRI log

```

2020-10-10T00:10:00.333333333Z stdout F Hello Fluentd

```

is parsed to

```

time: 2020-10-10T00:10:00.333333333Z

record: {"stream":"stdout","logtag":"F","message":"Hello Fluentd","time':'2020-10-10T00:10:00.333333333Z"}

```

### Parse message part with parsers

By specifying `` section, you can parse `message` part with parser plugins.

```aconf

  @type cri

  

    @type json

    time_key time

    time_format %Y-%m-%dT%H:%M:%S.%L%z

    # keep_time_key true # if you want to keep "time" field, enable this parameter

  

```

With this configuration, following CRI log

```

2020-10-10T00:10:00.333333333Z stdout F {"foo":"bar","num":100,"time":"2020-11-11T00:11:00.111111111Z"}

```

is parsed to

```

time: 2020-11-11T00:11:00.111111111Z

record: {"foo":"bar","num":100,"stream":"stdout","logtag":"F"}

```

If you don't need `stream`/`logtag` fields, set `merge_cri_fields false` like below:

```

  @type cri

  merge_cri_fields false

  

    @type json

    time_key time

    time_format %Y-%m-%dT%H:%M:%S.%L%z

  

```

### Concatenate multiple `message` records into one

If you want to concatenate the following `message` records into one record, 

use @type [concat](https://github.com/fluent-plugins-nursery/fluent-plugin-concat) filter plugin with `use_partial_cri_logtag` parameter.

 ```

2020-10-10 09:10:00.333333333 +0900 cri: {"stream":"stdout","logtag":"P","message":"This is first line","time":"2020-10-10T00:10:00.333333333Z"}

2020-10-10 09:11:00.333333333 +0900 cri: {"stream":"stdout","logtag":"F","message":"This is last line","time":"2020-10-10T00:11:00.333333333Z"}

```

See fluent-plugin-concat's [usage](https://github.com/fluent-plugins-nursery/fluent-plugin-concat#usage) in more details.

## Copyright

* Copyright(c) 2020- Fluentd project

* License

  * Apache License, Version 2.0