TechQA.

How to split log (key) field with fluentbit?

2.7k views Asked by At

We are sending node.js code to OpenSearch using FluentBit. We are having issues because log key contains nested value as message. We need to split the values mentioned in the below log message -

log-    {"level":"info","message":"\"{\"method:\" GET , \"url:\" / , \"status:\" 404 , \"responseTime:\" 0.545 ms , \"responseContentLength:\" 39}\"\n","timestamp":"2022-04-01T12:48:37.091Z"}

We need to split each and every field as separate -

level: info method: GET status: 404

elasticsearch filebeat opensearch fluent-bit fluent-bit-rewrite-tag
Original Q&A
1

There are 1 answers

0
wjkw1 On

We had a similar problem and there was two parts to the solution:

  1. Add Kubernetes filter in the Fluent-bit config file
  2. Correct the json logging from our APIs/microservices

Though your issue looks json format related, specifically for the message field (see point 2 below)

1. Add Kubernetes filter in the Fluent-bit config file

  ## https://docs.fluentbit.io/manual/pipeline/filters
  filters: |
    [FILTER]
        Name kubernetes
        Match kube.*
        Merge_Log On
        Merge_Log_Key log_processed
        Keep_Log Off
        K8S-Logging.Parser On
        K8S-Logging.Exclude On

Now this splits the json output in new fields:

  • log = "{original dict as string}"
  • log_processed.level = "info"
  • log_processed.message = etc.

2. Correct the json logging from our APIs

It looks like the message field in your json is outputting as a String, not a json object.

i.e. you have:

{
  "level": "info",
  "message": "\"{\"method:\" GET , \"url:\" / , \"status:\" 404 , \"responseTime:\" 0.545 ms , \"responseContentLength:\" 39}\"\n",
  "timestamp": "2022-04-01T12:48:37.091Z"
}

But you may want this instead:

{
  "level": "info",
  "message": {
    "method": "GET",
    "url": "/",
    "status": "404",
    "responseTime": "0.545 ms",
    "responseContentLength": 39
  },
  "timestamp": "2022-04-01T12:48:37.091Z"
}

Please note that I've assumed datatypes here to demonstrate the issue only.

Some relevant reading/links:

Related Questions in ELASTICSEARCH

Related Questions in FILEBEAT

Related Questions in OPENSEARCH

Related Questions in FLUENT-BIT

Related Questions in FLUENT-BIT-REWRITE-TAG

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions