Resolved: How to replace search time with "time" field in fluentbit?

In this post, we will see how to resolve How to replace search time with “time” field in fluentbit?

Question:

I defined a customized multiline parser with regex and another parser to split time and log line into fields “time” and “message” respectively:

How could I replace the search time with the value of “time”?
Here is my multiline parser, invoked with tail input:

[MULTILINE_PARSER]
name          jsm
type          regex
flush_timeout 1000
# rules |   state name  | regex pattern                  | next state
# ------|---------------|--------------------------------------------
rule      "start_state"   "/(\d{4}\-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}\,\d+[\+\-]\d+)(.*)/"  "cont"
rule      "cont"          "/^[\s+at|java|Caused]/"            "cont"

Here is the parser:

[PARSER]
Name jsm
Format regex
Regex /^(?<time>\d{4}\-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}\,\d+[\+\-]\d+) (?<message>.*)/m

The parser above is invoked in Filter:

[FILTER]
name             parser
match            *
key_name         log
parser           jsm

Thanks.
Try to find a solution to complete this search.

Best Answer:

Issue fixed after adding a parameter Time_Format in Parser jsm, this has to match the time format in the log entry, otherwise it will be ignored.

If you have better answer, please add a comment about this, thank you!

Source: Stackoverflow.com

Resolved: How to replace search time with “time” field in fluentbit?

Question:

Best Answer:

Related