Merge pull request #1670 from fluent/lynettemiles/sc-135596/update-fluent-bit-fluent-bit-docs-administration

Author: esmerel

administration/configuring-fluent-bit/multiline-parsing.md

@@ -1,102 +1,109 @@
-# Multiline Parsing
+# Multiline parsing
 
-In an ideal world, applications might log their messages within a single line, but in reality applications generate multiple log messages that sometimes belong to the same context. But when is time to process such information it gets really complex. Consider application stack traces which always have multiple log lines.
+In an ideal world, applications might log their messages within a single line, but in
+reality applications generate multiple log messages that sometimes belong to the same
+context. Processing this information can be complex, like in application stack traces,
+which always have multiple log lines.
 
 <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=e19a4c14-a9e4-4163-8f3a-52196eb9a585" />
 
-Starting from Fluent Bit v1.8, we have implemented a unified Multiline core functionality to solve all the user corner cases. In this section, you will learn about the features and configuration options available.
+Fluent Bit v1.8 implemented a unified Multiline core capability to solve corner cases.
 
 ## Concepts
 
-The Multiline parser engine exposes two ways to configure and use the functionality:
+The Multiline parser engine exposes two ways to configure and use the feature:
 
-* Built-in multiline parser
-* Configurable multiline parser
+- Built-in multiline parser
+- Configurable multiline parser
 
-### Built-in Multiline Parsers
+### Built-in multiline parsers
 
-Without any extra configuration, Fluent Bit exposes certain pre-configured parsers (built-in) to solve specific multiline parser cases, e.g:
+Fluent Bit exposes certain pre-configured parsers (built-in) to solve specific
+multiline parser cases. For example:
 
-| Parser | Description                                                                                                                             |
-| ------ | --------------------------------------------------------------------------------------------------------------------------------------- |
-| docker | Process a log entry generated by a Docker container engine. This parser supports the concatenation of log entries split by Docker.      |
-| cri    | Process a log entry generated by CRI-O container engine. Same as the _docker_ parser, it supports concatenation of log entries          |
-| go     | Process log entries generated by a Go based language application and perform concatenation if multiline messages are detected.          |
-| python | Process log entries generated by a Python based language application and perform concatenation if multiline messages are detected.      |
-| java   | Process log entries generated by a Google Cloud Java language application and perform concatenation if multiline messages are detected. |
+| Parser | Description |
+| ------ | ----------- |
+| `docker` | Process a log entry generated by a Docker container engine. This parser supports the concatenation of log entries split by Docker.      |
+| `cri` | Process a log entry generated by CRI-O container engine. Like the `docker` parser, it supports concatenation of log entries          |
+| `go`     | Process log entries generated by a Go based language application and perform concatenation if multiline messages are detected.          |
+| `python` | Process log entries generated by a Python based language application and perform concatenation if multiline messages are detected.      |
+| `java`   | Process log entries generated by a Google Cloud Java language application and perform concatenation if multiline messages are detected. |
 
-### Configurable Multiline Parsers
+### Configurable multiline parsers
 
-Besides the built-in parsers listed above, through the configuration files is possible to define your own Multiline parsers with their own rules. 
+You can define your own Multiline parsers with their own rules, using a configuration
+file.
 
-A multiline parser is defined in a _parsers configuration file_ by using a `[MULTILINE_PARSER]` section definition. The Multiline parser must have a unique name and a type plus other configured properties associated with each type. 
+A multiline parser is defined in a `parsers configuration file` by using a
+`[MULTILINE_PARSER]` section definition. The multiline parser must have a unique name
+and a type, plus other configured properties associated with each type.
 
-To understand which Multiline parser type is required for your use case you have to know beforehand what are the conditions in the content that determines the beginning of a multiline message and the continuation of subsequent lines. We provide a regex based configuration that supports states to handle from the most simple to difficult cases.
+To understand which multiline parser type is required for your use case you have to
+know the conditions in the content that determine the beginning of a multiline
+message, and the continuation of subsequent lines. Fluent Bit provides a regular expression-based
+configuration that supports states to handle from the most cases.
 
-| Property      | Description                                                                                                                                                                                                                                                                                                                                                                                                               | Default |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| name          | Specify a unique name for the Multiline Parser definition. A good practice is to prefix the name with the word `multiline_` to avoid confusion with normal parser's definitions.                                                                                                                                                                                                                                          |         |
-| type          | Set the multiline mode, for now, we support the type `regex`.                                                                                                                                                                                                                                                                                                                                                             |         |
-| parser        | <p>Name of a pre-defined parser that must be applied to the incoming content before applying the regex rule. If no parser is defined, it's assumed that's a raw text and not a structured message. </p><p></p><p>Note: when a parser is applied to a raw text, then the regex is applied against a specific key of the structured message by using the  <code>key_content</code>  configuration property (see below).</p> |         |
-| key_content   | For an incoming structured message, specify the key that contains the data that should be processed by the regular expression and possibly concatenated.                                                                                                                                                                                                                                                                  |         |
-| flush_timeout | Timeout in milliseconds to flush a non-terminated multiline buffer. Default is set to 5 seconds.                                                                                                                                                                                                                                                                                                                          | 5s      |
-| rule          | Configure a rule to match a multiline pattern. The rule has a specific format described below. Multiple rules can be defined.                                                                                                                                                                                                                                                                                             |         |
+| Property | Description | Default |
+| -------- | ----------- | ------- |
+| `name` | Specify a unique name for the multiline parser definition. A good practice is to prefix the name with the word `multiline_` to avoid confusion with normal parser definitions. | _none_ |
+| `type`          | Set the multiline mode. Fluent Bit supports the type `regex`.| _none_ |
+| `parser`        | Name of a pre-defined parser that must be applied to the incoming content before applying the regular expression rule. If no parser is defined, it's assumed that's a raw text and not a structured message. <br /> When a parser is applied to a raw text, the regular expression is applied against a specific key of the structured message by using the `key_content` configuration property. | _none_ |
+| `key_content`   | For an incoming structured message, specify the key that contains the data that should be processed by the regular expression and possibly concatenated. | _none_ |
+| `flush_timeout` | Timeout in milliseconds to flush a non-terminated multiline buffer. | `5s` |
+| `rule`          | Configure a rule to match a multiline pattern. The rule has a [specific format](#rules-definition). Multiple rules can be defined. | _none_|
 
-#### Lines and States
+#### Lines and states
 
-Before start configuring your parser you need to know the answer to the following questions:
+Before configuring your parser you need to know the answer to the following questions:
 
-1. What is the regular expression (regex) that matches the first line of a multiline message ?
-2. What are the regular expressions (regex) that match the continuation lines of a multiline message ?
+1. What's the regular expression (`regex`) that matches the first line of a multiline message?
+1. What are the regular expressions (`regex`) that match the continuation lines of a multiline message?
 
-When matching regex, we have to define **states**, some states define the start of a multiline message while others are states for the continuation of multiline messages. You can have multiple **continuation states** definitions to solve complex cases.
+When matching a regular expression, you must to define `states`. Some states define the start of a multiline message while others are states for the continuation of multiline messages. You can have multiple `continuation states` definitions to solve complex cases.
 
-The first regex that matches the start of a multiline message is called **start_state**, then other regexes continuation lines can have different state names.
+The first regular expression that matches the start of a multiline message is called
+`start_state`. Other regular expression continuation lines can have different state names.
 
-#### Rules Definition
+#### Rules definition
 
 A rule specifies how to match a multiline pattern and perform the concatenation. A rule is defined by 3 specific components:
 
-1. state name
-2. regular expression pattern
-3. next state 
+- state name
+- regular expression pattern
+- next state
 
-A rule might be defined as follows (comments added to simplify the definition) :
+A rule might be defined as follows (comments added to simplify the definition):
 
-```
+```text
 # rules   |   state name   | regex pattern                   | next state
 # --------|----------------|---------------------------------------------
 rule         "start_state"   "/([a-zA-Z]+ \d+ \d+\:\d+\:\d+)(.*)/"   "cont"
 rule         "cont"          "/^\s+at.*/"                      "cont"
 ```
 
-In the example above, we have defined two rules, each one has its own state name, regex patterns, and the next state name. Every field that composes a rule **must be** inside double quotes. 
+This example defines two rules. Each rule has its own state name, regex patterns, and the next state name. Every field that composes a rule must be inside double quotes.
 
-The first rule of state name **must always** be **start_state**, and the regex pattern **must** match the first line of a multiline message, also a next state must be set to specify how the possible continuation lines would look like.
+The first rule of a state name must be `start_state`. The regex pattern must match the first line of a multiline message, and a next state must be set to specify what the possible continuation lines look like.
 
 {% hint style="info" %}
-To simplify the configuration of regular expressions, you can use the Rubular web site. We have posted an example by using the regex described above plus a log line that matches the pattern:\
-\
-[https://rubular.com/r/NDuyKwlTGOvq2g](https://rubular.com/r/NDuyKwlTGOvq2g)
+To simplify the configuration of regular expressions, you can use the [Rubular]((https://rubular.com/r/NDuyKwlTGOvq2g)) web site. This link uses the regex described in the previous example, plus a log line that matches the pattern:
 {% endhint %}
 
-#### Configuration Example
+#### Configuration example
 
-The following example provides a full Fluent Bit configuration file for multiline parsing by using the definition explained above.
+The following example provides a full Fluent Bit configuration file for multiline parsing by using the definition explained previously.
 
 {% hint style="info" %}
-The following example files can be located at:\
-\
-[https://github.com/fluent/fluent-bit/tree/master/documentation/examples/multiline/regex-001](https://github.com/fluent/fluent-bit/tree/master/documentation/examples/multiline/regex-001)
+The following example files can be located [at this link](https://github.com/fluent/fluent-bit/tree/master/documentation/examples/multiline/regex-001).
 {% endhint %}
 
 Example files content:
 
 {% tabs %}
 {% tab title="fluent-bit.conf" %}
-This is the primary Fluent Bit configuration file. It includes the `parsers_multiline.conf` and tails the file `test.log` by applying the multiline parser `multiline-regex-test`. Then it sends the processing to the standard output. 
+This is the primary Fluent Bit configuration file. It includes the `parsers_multiline.conf` and tails the file `test.log` by applying the multiline parser `multiline-regex-test`. Then it sends the processing to the standard output.
 
-```
+```python
 [SERVICE]
     flush        1
     log_level    info
@@ -112,12 +119,13 @@ This is the primary Fluent Bit configuration file. It includes the `parsers_mult
     name             stdout
     match            *
 ```
+
 {% endtab %}
 
 {% tab title="parsers_multiline.conf" %}
 This second file defines a multiline parser for the example.
 
-```
+```python
 [MULTILINE_PARSER]
     name          multiline-regex-test
     type          regex
@@ -136,12 +144,13 @@ This second file defines a multiline parser for the example.
     rule      "start_state"   "/([a-zA-Z]+ \d+ \d+\:\d+\:\d+)(.*)/"  "cont"
     rule      "cont"          "/^\s+at.*/"                     "cont"
 ```
+
 {% endtab %}
 
 {% tab title="test.log" %}
 An example file with multiline content:
 
-```
+```text
 single line...
 Dec 14 06:41:08 Exception in thread "main" java.lang.RuntimeException: Something has gone wrong, aborting!
     at com.myproject.module.MyProject.badMethod(MyProject.java:22)
@@ -152,13 +161,14 @@ Dec 14 06:41:08 Exception in thread "main" java.lang.RuntimeException: Something
 another line...
 
 ```
+
 {% endtab %}
 {% endtabs %}
 
 By running Fluent Bit with the given configuration file you will obtain:
 
-```
-$ fluent-bit -c fluent-bit.conf 
+```text
+$ fluent-bit -c fluent-bit.conf
 
 [0] tail.0: [0.000000000, {"log"=>"single line...
 "}]
@@ -174,29 +184,28 @@ $ fluent-bit -c fluent-bit.conf
 
 ```
 
-The lines that did not match a pattern are not considered as part of the multiline message, while the ones that matched the rules were concatenated properly.
+The lines that didn't match a pattern aren't considered as part of the multiline message, while the ones that matched the rules were concatenated properly.
 
 ## Limitations
 
 The multiline parser is a very powerful feature, but it has some limitations that you should be aware of:
 
-* The multiline parser is not affected by the `buffer_max_size` configuration option, allowing the composed log record to grow beyond this size.
-Hence, the `skip_long_lines` option will not be applied to multiline messages. 
-* It is not possible to get the time key from the body of the multiline message. However, it can be extracted and set as a new key by using a filter.
+- The multiline parser isn't affected by the `buffer_max_size` configuration option, allowing the composed log record to grow beyond this size. The `skip_long_lines` option won't be applied to multiline messages.
+- It's not possible to get the time key from the body of the multiline message. However, it can be extracted and set as a new key by using a filter.
 
 ## Get structured data from multiline message
 
-Fluent-bit supports `/pat/m` option. It allows `.` matches a new line. It is useful to parse multiline log.
+Fluent-bit supports the `/pat/m` option. It allows `.` matches a new line, which can be used to parse multiline logs.
 
-The following example is to get `date` and `message` from concatenated log.
+The following example retrieves `date` and `message` from concatenated logs.
 
 Example files content:
 
 {% tabs %}
 {% tab title="fluent-bit.conf" %}
 This is the primary Fluent Bit configuration file. It includes the `parsers_multiline.conf` and tails the file `test.log` by applying the multiline parser `multiline-regex-test`. It also parses concatenated log by applying parser `named-capture-test`. Then it sends the processing to the standard output.
 
-```
+```python
 [SERVICE]
     flush        1
     log_level    info
@@ -218,12 +227,13 @@ This is the primary Fluent Bit configuration file. It includes the `parsers_mult
     name             stdout
     match            *
 ```
+
 {% endtab %}
 
 {% tab title="parsers_multiline.conf" %}
 This second file defines a multiline parser for the example.
 
-```
+```python
 [MULTILINE_PARSER]
     name          multiline-regex-test
     type          regex
@@ -247,12 +257,13 @@ This second file defines a multiline parser for the example.
     Format regex
     Regex /^(?<date>[a-zA-Z]+ \d+ \d+\:\d+\:\d+) (?<message>.*)/m
 ```
+
 {% endtab %}
 
 {% tab title="test.log" %}
 An example file with multiline content:
 
-```
+```text
 single line...
 Dec 14 06:41:08 Exception in thread "main" java.lang.RuntimeException: Something has gone wrong, aborting!
     at com.myproject.module.MyProject.badMethod(MyProject.java:22)
@@ -263,12 +274,13 @@ Dec 14 06:41:08 Exception in thread "main" java.lang.RuntimeException: Something
 another line...
 
 ```
+
 {% endtab %}
 {% endtabs %}
 
 By running Fluent Bit with the given configuration file you will obtain:
 
-```
+```text
 $ fluent-bit -c fluent-bit.conf
 
 [0] tail.0: [1669160706.737650473, {"log"=>"single line...
@@ -282,4 +294,4 @@ $ fluent-bit -c fluent-bit.conf
 "}]
 [2] tail.0: [1669160706.737657687, {"log"=>"another line...
 "}]
-```
+```