Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiline Config not applied #1008

Closed
LarsWinters opened this issue Nov 6, 2023 · 4 comments
Closed

Multiline Config not applied #1008

LarsWinters opened this issue Nov 6, 2023 · 4 comments
Labels
Splunk Platform Issue related to Splunk Platform destination

Comments

@LarsWinters
Copy link

LarsWinters commented Nov 6, 2023
edited by atoulme
Loading

Hi all,

we try to set a MultiLineConfig for all Namespaces, Pods and Containers. It should use Multiline for all logs starting with "Caused by" or a leading whitespace. The config looks like this:

multilineConfigs:
      - namespaceName:
          value: .*
        podName:
          value: .*
          useRegexp: true
        containerName:
          value: .*
        firstEntryRegex: ^(?:\s|Caused by)

If I put this regex in regex101 and test it with a Log it works just fine. I suppose it doesn't apply correctly. Is the wildcard .* valid?
Or any other ideas why it doesn't work?
Best regards
@atoulme atoulme added the Splunk Platform Issue related to Splunk Platform destination label Nov 6, 2023
@atoulme
Copy link
Contributor

atoulme commented Nov 6, 2023

You might need to set useRegexp on the other fields:

multilineConfigs:
      - namespaceName:
          value: .*
          useRegexp: true
        podName:
          value: .*
          useRegexp: true
        containerName:
          value: .*
          useRegexp: true
        firstEntryRegex: ^(?:\s|Caused by)

@wedge22
Copy link
Contributor

wedge22 commented Nov 7, 2023

Do you see a specific error when trying to deploy? My only other suggestion would be adding ""

multilineConfigs: - namespaceName: value: ".*" useRegexp: true podName: value: ".*" useRegexp: true containerName: value: ".*" useRegexp: true firstEntryRegex: ^(?:\s|Caused by)

@matthewmodestino
Copy link

matthewmodestino commented Nov 7, 2023
edited
Loading

Antoine has likely identified your issue. It is also handy to review what this renders in the configmap so you can read the logic.

I have to advise this is really not recommended, as its is very unlikely your entire cluster needs the logs passed thru this regex. Will likely result in unexpected issues and performance impacts.

It is strongly recommended to try and target the actual workloads that this rule will apply. You can create some pretty flexible rules if you look under the hood in the configmap and take the router and operator logic and move it into extraOperators section.

Otherwise 🤷 yolo!

@LarsWinters
Copy link
Author

Yes! The the solution was to enable useRegexp for all "layers". Thanks @atoulme

Also thank you @matthewmodestino for the advices. We will look into it and try to specify it to the very specific workloads!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Splunk Platform Issue related to Splunk Platform destination
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@atoulme @matthewmodestino @wedge22 @LarsWinters