regexp

The regexp parser plugin parses logs by given regexp pattern. The regexp must have at least one named capture (?<NAME>PATTERN). If the regexp has a capture named time, this is configurable via time_key parameter, it is used as the time of the event. You can specify the time format using the time_format parameter.

<parse>
  @type regexp
  expression /.../
</parse>

Parameters

See Parse Section Configurations for common parameters.

expression

Specifies the regular expression for matching logs. Regular expression also supports i and m suffix.

i (ignorecase)

Ignores case in matching.

expression /.../i

m (multiline)

Build regular expression as a multiline mode. . matches the newline. See Ruby's Regexp.

expression /.../m

both

Specifies both i and m.

expression is the string type before 1.2.0.

ignorecase

Ignores case in matching. Use i option with expression.

Deprecated since 1.2.0. Use expression /pattern/i instead.

multiline

Builds regular expression in multiline mode. . matches the newline. See Ruby's Regexp. Use m option with expression.

Deprecated since 1.2.0. Use expression /pattern/m instead.

Example

With this configuration:

This incoming event:

is parsed as:

FAQ

How to debug my regexp pattern?

fluentd-ui's in_tail editor helps your regexp testing. Another way, Fluentular is a great website to test your regexp for Fluentd configuration.

NOTE: You may hit Application Error at Fluentular due to heroku's free plan limitation. Retry a few hours later or use fluentd-ui instead.

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.