Key-Value Pairs Parser Plugin for Fluentd
This plugin is forked fluent-plugin-kvp-parser.
This is a parser plugin for Fluentd. Learn more about parser plugins here.
This plugin allows you to parse inputs that look like key-value pairs. For example, if your text logs look like
"this_field=10000 that_field=hello time=2013-01-01T12:34:00"
It is parsed as
{"this_field":10000, "that_field":"hello"}with the event's time being 2013-01-01T12:34:00
For Fluentd,
fluentd-gem install fluent-plugin-kvp-parser
Then, for parser-plugin enabled input plugins (including tail, tcp, udp, syslog and most notably multi_format, you can write format kvp
For example, using tcp with the following configuration:
<source>
type tcp
port 24225
tag kv_log
format kvp
time_key my_time
types k1:integer,my_time:time
</source>
<match kv_log>
type stdout
</match>Running
echo 'my_time=2014-12-31T00:00:00 k1=1234 k2=hello' | nc localhost 24224gives
2014-12-31 00:00:00 +0000 kv_log: {"k1":1234,"k2":"hello"}-
kv_delimiter: The delimiter for key-value pairs. By default
\t\s(one or more whitespace/tabs).kv_delimiter asplits on one or more "a"skv_delimiter absplits on one or more "a"s or "b"s
-
kv_char: The string to split the key from the value. By default, it is "=".
-
time_key: The time key field among the key-value pairs to be used as the time for the event. If missing or unparsable, the current time is used.
-
types: Is the same as for other parse plugins.The parameter to convert the values of key-value pairs. The syntax is
<key_name>:<type_name>. For example, to convert the key "k1" into an integer, writetypes k1:integer. For thetimetype, one can write<key_name>:time:<time_format>to convert the string into a time object. For example, to convert the string "my_time=12/31/2014 12:00:00", usemy_time:time:%m/%d/%Y %H:%M:%S. See a more detailed description of the time parameters