Fluentd
Fluentd
Introduction
Overview
Installation
Configuration
Deployment
Container Deployment
Monitoring Fluentd
Input Plugins
Output Plugins
Filter Plugins
Parser Plugins
regexp
apache2
apache_error
nginx
syslog
ltsv
csv
tsv
json
msgpack
multiline
none
Formatter Plugins
Buffer Plugins
Storage Plugins
Service Discovery Plugins
How-to Guides
Language Bindings
Plugin Development
Plugin Helper API
Powered by GitBook

regexp

The regexp parser plugin parses logs by given regexp pattern. The regexp must have at least one named capture (?<NAME>PATTERN). If the regexp has a capture named time, this is configurable via time_key parameter, it is used as the time of the event. You can specify the time format using the time_format parameter.

<parse>
  @type regexp
  expression /.../
</parse>

Parameters

See Parse Section Configurations for common parameters.

expression

type

default

version

regexp

required parameter

1.2.0

Specifies the regular expression for matching logs. Regular expression also supports i and m suffix.

i (ignorecase)

Ignores case in matching.

expression /.../i

m (multiline)

Build regular expression as a multiline mode. . matches the newline. See Ruby's Regexp.

expression /.../m

both

Specifies both i and m.

expression /.../im

expression is the string type before 1.2.0.

ignorecase

type

default

version

bool

false

0.14.2

Ignores case in matching. Use i option with expression.

Deprecated since 1.2.0. Use expression /pattern/i instead.

multiline

type

default

version

bool

false

0.14.2

Builds regular expression in multiline mode. . matches the newline. See Ruby's Regexp. Use m option with expression.

Deprecated since 1.2.0. Use expression /pattern/m instead.

Example

With this configuration:

<parse>
  @type regexp
  expression /^\[(?<logtime>[^\]]*)\] (?<name>[^ ]*) (?<title>[^ ]*) (?<id>\d*)$/
  time_key logtime
  time_format %Y-%m-%d %H:%M:%S %z
  types id:integer
</parse>

This incoming event:

[2013-02-28 12:00:00 +0900] alice engineer 1

is parsed as:

time:
1362020400 (2013-02-28 12:00:00 +0900)
​
record:
{
  "name" : "alice",
  "title": "engineer",
  "id"   : 1
}

FAQ

How to debug my regexp pattern?

​fluentd-ui's in_tail editor helps your regexp testing. Another way, Fluentular is a great website to test your regexp for Fluentd configuration.

NOTE: You may hit Application Error at Fluentular due to heroku's free plan limitation. Retry a few hours later or use fluentd-ui instead.

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.

Previous
Parser Plugins
Next
apache2
Last updated 2 months ago
Contents
Parameters
expression
ignorecase
multiline
Example
FAQ
How to debug my regexp pattern?