I want make a log management system through EFK. I'm trying for days now to get my multiline mycat log parser to work with fluent-bit.
My fluentbit configuration:
parsers.conf:
[PARSER]
Name mycat_error_log_parser_head
Format regex
Regex ^(?<time>(\d)+(-\d+)+(\S)+\W(\S)+)(\s+)(?<action>\S+)(\s+)(?<on>\S+)
Time_Key time
Time_Format %Y-%m-%d %H:%M:%S.%L
Time_Keep On
[PARSER]
Name mycat_error_log_parser
Format regex
Regex ^(?<time>(\d)+(-\d+)+(\S)+\W(\S)+)(\s+)(?<action>\S+)(\s+)(?<on>\S+)(\s+)(?<content>(.|\s)*)$
Time_Key time
Time_Format %Y-%m-%d %H:%M:%S.%L
Time_Keep On
fluent-bit.conf
[INPUT]
Name tail
tag mycat
path /var/log/mycat.log
Multiline On
Parser_Firstline mycat_error_log_parser_head
Parser mycat_error_log_parser
Path_Key file
and the mycat.log looks like this:
mycat.log
2018-08-02 09:59:41.205 INFO [$_NIOConnector] (io.mycat.backend.datasource.PhysicalDatasource.getConnection(PhysicalDatasource.java:529)) - no ilde connection in pool,create new connection for hostS1 of schema mysql
2018-08-02 09:59:53.939 INFO [Timer0] (io.mycat.backend.datasource.PhysicalDatasource.getConnection(PhysicalDatasource.java:529)) - no ilde connection in pool,create new connection for hostS1 of schema mysql
2018-08-02 10:00:01.173 ERROR [$_NIOConnector] (io.mycat.net.NIOConnector.finishConnect(NIOConnector.java:155)) - error:
java.net.ConnectException: Connection timed out
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[?:1.7.0_111]
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:744) ~[?:1.7.0_111]
at io.mycat.net.NIOConnector.finishConnect(NIOConnector.java:165) ~[Mycat-server-1.6.5-release.jar:?]
at io.mycat.net.NIOConnector.finishConnect(NIOConnector.java:143) ~[Mycat-server-1.6.5-release.jar:?]
at io.mycat.net.NIOConnector.run(NIOConnector.java:98) ~[Mycat-server-1.6.5-release.jar:?]
2018-08-02 10:00:01.173 INFO [$_NIOConnector] (io.mycat.net.AbstractConnection.close(AbstractConnection.java:514)) - close connection,reason:java.net.ConnectException: Connection timed out ,MySQLConnection [id=0, lastTime=1533175073937, user=root, schema=mysql, old shema=mysql, borrowed=false, fromSlaveDB=true, threadId=0, charset=utf8, txIsolation=3, autocommit=true, attachment=null, respHandler=null, host=parse1, port=3306, statusSync=null, writeQueue=0, modifiedSQLExecuted=false]
2018-08-02 10:00:01.173 INFO [$_NIOConnector] (io.mycat.sqlengine.SQLJob.connectionError(SQLJob.java:117)) - can't get connection for sql :select user()
I think about i'm close now, but no luck so far.
In my kibana. I get follow result:
enter image description here
My multi-line error log is missing. but i testing in rubular it normal parsing
enter image description here
Any help would be appreciated.
This configuration worked for your log file, Fluent Bit published 5 documents to elastic search with this configuration.
parsers.conf
[PARSER]
Name mycat_error_log_parser_head
Format regex
Regex ^(?<time>(\d)+(-\d+)+(\S)+\W(\S)+)(\s+)(?<action>\S+)(\s+)(?<on>\S+)(\s+)(?<content>.*)
Time_Key time
Time_Format %Y-%m-%d %H:%M:%S.%L
Time_Keep On
[PARSER]
Name mycat_error_log_parser
Format regex
Regex (?m-ix)^(?<time>(\d)+(-\d+)+(\S)+\W(\S)+)(\s+)(?<action>\S+)(\s+)(?<on>\S+)(\s+)(?<content>.*)
Time_Key time
Time_Format %Y-%m-%d %H:%M:%S.%L
Time_Keep On
fluent-bit.conf
[INPUT]
Name tail
tag mycat
path /var/log/mycat.log
Multiline On
Parser_Firstline mycat_error_log_parser_head
Parser_1 mycat_error_log_parser
Path_Key file
Two changes done to the configuration from the question - Regex config has been changed in [PARSER] sections and Parser changed to Parser_1 in [INPUT] section.
I had faced similar problem with multiline parsing, my observation is that Parser_Firstline should cover the entire first line in the multiline message and Parser_1 .. Parser_N should cover the entire structure of multiline message.
Fluent Bit documentation on multiline configuration: https://fluentbit.io/documentation/0.12/input/tail.html
Please change Parser to Parser_1.
Parser_Firstline must be the regex matching all except the multiline exceptions
and Parser_1 must be the regex matching all including multiline exceptions.
Related
I would like some advice to work around an xml parsing error. In my BLAST xml output, I have a description that has an '&' character which is throwing off the SearchIO.parse function.
If I run
qresults=SearchIO.parse(PLAST_output,"blast-xml")
for record in qresults:
#do some stuff
I get the following error:
cElementTree.ParseError: not well-formed (invalid token): line 13701986, column 30
Which directs me to the this line:
<Hit_def>Lysosomal & prostatic acid phosphatases [Xanthophyllomyces dendrorhous</Hit_def>
Is there a way to override this in biopython so I do not have to change my xml file? Right now, I'm just doing a 'Try/Except' loop, but that is not optimal!
Thanks for your help!
Courtney
On VSTS, I use the "Replace Tokens" task to replace tokens in SetParameters.xml file with the VSTS variables. But I have variables which contains a XML string.
For example, with a VSTS variable which contains:
<string>aaa</string><string>bbb</string><string>ccc</string>
I got in the SetParameters.xml:
<setParameter name="FolderTreeStructureRootFullControl"
value="<string>aaa</string><string>bbb</string><string>ccc</string>" />
After, when I deploy the website with the "WinRM - IIS Web App Deployment" task, I have this error :
System.Exception: Error: '<', hexadecimal value 0x3C, is an invalid attribute character.
Is there a way to fix this error without replace all '<' and '>' characters by < and > escape strings ?
Thank you.
No, you can’t, I recommend that you can encode the value to base64 and decoding the value in the code.
I am trying to parse incoming csv files containing one field with date-time string using fluentd(written in ruby) but it throws error for provided custom time format.
To check whether I am using correct format, I wrote sample ruby code(not a ruby programmer so used online ruby IDE) and found that the format works well when I try to write using it but ruby throws error when I try to read using this format :
[ code ]
require 'time'
time = Time.new
puts "writing time : " + time.strftime("%d-%b-%y %I.%M.%S.%9N %p")
newtime = Time.strptime("29-Sep-16 07.45.45.331680519 PM", "%d-%b-%y %I.%M.%S.%9N %p")
puts "reading time : " + newtime
[ output ]
sh-4.3$ ruby main.rb
writing time : 29-Sep-16 05.47.36.206929933 PM
/usr/share/ruby/time.rb:427:in `strptime': invalid strptime format - `%d-%b-%y %I.%M.%S.%9N %p' (ArgumentError)
from main.rb:10:in `<main>'
I checked many posts where people found issues with strptime but could not understand how to resolve above. Pls suggest.
Looks like the problem was with %9N - it is not supported. I changed %9N to %N and the parsing was successful.
http://ruby-doc.org/stdlib-1.9.3/libdoc/date/rdoc/DateTime.html specifies formats like %3N, %9N etc for parsing milliseconds, nanoseconds.. but it doesn't seem to work.
Thanks to tadman for suspecting this specifier.
Since I develop under J3.2, I've got a recurrent error with the Joomla "calendar" field.
Once the field value is recorded in BDD with the sql format : "Y-m-d H:i:s", I've got an error 500 when I open the form for edit my content.
DateTime::__construct() [datetime.--construct]: Failed to parse time string (2014-10-17 10-28-58) at position 11 (1): Unexpected character
The component K2 and all these associated extension are disabled.
It appear that the parser have a problem with the empty string between the date and the time.
Is anybody can give me a solution ??
Thankz by advance for your help !
Mickael
I found my mistake : the format string of my calendar field was bad.
I used "Y-m-d H-i-s" instead of "Y-m-d H:i:s"
I try to parse a huge json file, it's more that 524288 characters and I can't parse it with groovy and haven't text of exception. Is it a known issue, is there any workaround?
Can it be limitation of tomcat?
Update:
I've got an exception:
ERROR (org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver) - JSONException occurred when processing request: [POST] /person/parsePersonJson
Expected a ',' or ']' at character 524288 of ...
Update2:
in grails I used:
JSON.parse(params.myJson)
Changed tomcat settings of maxPostSize to "0"
It may concern to value of configured POST parameter size in Tomcat (maxPostSize). You should refer to this documentation: http://tomcat.apache.org/tomcat-5.5-doc/config/http.html (keyword: "maxPostSize") for more explanation. Then you can try to increase that value. Hope this helps!
It was a problem with input size. Max input size by specification is 512k