Regarding Container Input

dawiro · July 31, 2023, 3:13pm

Hi,
I see that combine_partial is not a parameter for the container input. Does the input now automatically handle docker's 16kb message limit?

Thx
D

dawiro · August 1, 2023, 7:33am

Is there anyone that can provide clarification on this?

jsoriano · August 1, 2023, 8:28am

Hey @dawiro,

Yes, it seems this feature slipped during the refactors for the container and filestream inputs. Are you finding issues with this?

jsoriano · August 1, 2023, 8:32am

I mean, the logic is there, and this behaviour is in theory maintained by default, but there doesn't seem to be any setting to disable it.

dawiro · August 1, 2023, 9:37am

We're making changes to our multiline config and devs are claiming that separate log events are being combined, ie. that the multiline config isn't working. My answer is that, unknown to them, they're emitting newlines which are getting merged instead of being split out as they had been before.

I'm asking this question as due diligence to assess if something else could be wrong. Note: a complicating factor for us is that we don't have access to the raw container logs.

dawiro · August 1, 2023, 9:38am

We do have fat messages that exceed the 16kb limit. So we do need the combine_partial functionality.

jsoriano · August 1, 2023, 9:45am

Indeed if the messages contain new lines at the end they are likely going to be merged by the logic to combine partial lines.

How are you defining the multiline configuration? Maybe you can give a try to the filestream input, that has container and multiline parsers and gives a bit more of control on when each one is executed.

dawiro · August 1, 2023, 2:02pm

Atm, we''re using the container input with a separate multiline and json handling spec. If we use filestream will we still get docker/container metadata for log enrichment?

dawiro · August 2, 2023, 9:58am

@jsoriano

jsoriano · August 2, 2023, 2:29pm

You can have enrichment if you use an autodiscover provider, or the add_docker_metadata processor.

How are you enriching now?

dawiro · August 2, 2023, 2:54pm

We're using add_docker_metadata. If we were to switch to filestream what would we lose relative to the continer input? Also, I presume the filestream input won't handle logs chopped up by docker.

jsoriano · August 2, 2023, 3:07pm

Umm, not sure, I am afraid that it will do the same. If you could confirm that it neither work for your use case we can open an issue to recover this setting.

dawiro · August 3, 2023, 9:14am

Is the handling of the 16kb limit part of the container input or part of beats itself in a general sense?

jsoriano · August 3, 2023, 10:19am

The 16kb limit is part of Docker. The container input joins lines that end up with newline, independently of their size.

dawiro · August 3, 2023, 1:06pm

So, the filestream input would not recombine messages chopped up by docker. That would create a different problem for us.

system · August 31, 2023, 3:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat breaking up docker log lines Beats filebeat	3	799	September 26, 2018
Problems using multiline configurations Beats docker , filebeat	5	440	August 17, 2022
Filebeat cannot merge partial events Beats docker , filebeat	2	449	June 24, 2021
"exclude_lines" not working with docker input Beats docker , filebeat	8	810	January 5, 2020
About AWS S3 Input Beats docker , filebeat	6	396	March 29, 2022

Regarding Container Input

Related topics