I'm trying to parse a string which has the following structure:
[2023/11/01@15:05:14.958+0100] P-3064 T-33556 I TSRV 3: (7129) Usr 5 set name to bronco.
With rubular.com I came to the following:
^\[(?<time>[^ ]*)\] (?<process>P.[\d]*) (?<thread>T.[\d]*) (?<severity>(I|W|F)) (?<component>[^\.]*): \((?<messagenumber>[\(\d\)]*)\) (?<message>.*)
This decomposes the string perfectly in the expected fields on the rubular website.
However, when I put this expression the Regex field of the FluentBit parser it just puts everything in the log property of the JSON.
"}] db-log: [1699002010.566232300, {"log"=>"[2023/11/03@10:00:10.536+0100] P-3064 T-33556 I TSRV 3: (7129) Usr 5 set name to bronco.
I'm puzzled What am I doing wrong here? Btw, the time is not the parsed time, but the FLuentbit generated one.
Some more puzzling, when I use
Regex ^\[(?<time>[^ ]*)\]\s(?<process>[^ ]*)\s(?<thread>[.]*)\s
I get the correct output:
[14] db-log: [1699005722.832000000, {"process"=>"P-3064"}]
and the time is parser correctly. But when adding any new field everything fails and the output JSON has just the log property.