Multi-line Detection in Edge Delta

Read multiline logs as a single log message.

  2 minute read  

Configuration v2

See the latest version here.

Overview

You can ensure that multiline logs are treated as a single log message by configuring the new line.

To better understand this concept, consider the following example of java stack trace:

2023-02-01 12:35:45 com.google.devtools.search.cloud.feeder.MakeLog: RuntimeException: Run from this message!
    at com.my.app.Object.do$a1(MakeLog.java:50)
    at java.lang.Thing.call(Thing.java:10)
    at com.my.app.Object.help(MakeLog.java:40)
    at sun.javax.API.method(API.java:100)
    at com.jetty.Framework.main(MakeLog.java:30)

Without multiline processing, during collection, this java stack trace will produce the following log lines for additional processing (parsing and ingesting):

log: {
2023-02-01 12:35:45 com.google.devtools.search.cloud.feeder.MakeLog: RuntimeException: Run from this message!
}
log: {
    at com.my.app.Object.do$a1(MakeLog.java:50)
}
log: {
    at java.lang.Thing.call(Thing.java:10)
}
log: {
    at com.my.app.Object.help(MakeLog.java:40)
}
log: {
    at sun.javax.API.method(API.java:100)
}
log: {
    at com.jetty.Framework.main(MakeLog.java:30)
}

Enable Multiline Detection

There are two ways to ensure that logs with multiple lines are treated as a single log:

  • Specify a line pattern, or
  • Enable auto line detection.
inputs:
  containers:
    - labels: "errorcheck"
      include:
        - "image=.*"
      auto_detect_line_pattern: true
    - labels: "apache-web"
      include:
      - "name=apache*,image=.*latest$"
      exclude:
        - "image=.*nginx.*"
        - "name=.*nginx.*"
      line_pattern: ^\d{4}-\d{2}-\d{2}

auto_detect_line_pattern

Detects line patterns automatically based on the Ragel FSM Based Lexical Recognition process. There is no need to specify line_pattern explicitly.

inputs:
  containers:
    - labels: "errorcheck"
      include:
        - "image=.*"
      auto_detect_line_pattern: true

line_pattern

To specify a line pattern, you can use the line_pattern parameter with a Golang regex rule to match the line break. The agent will process lines using this specific line separation rule, rather than using a new line("\n").

inputs:
  containers:
    - labels: "apache-web"
      include:
      - "name=apache*,image=.*latest$"
      exclude:
        - "image=.*nginx.*"
        - "name=.*nginx.*"
      line_pattern: ^\d{4}-\d{2}-\d{2}