Use <source> inside <label @FLUENT_LOG> section in fluentd configuration

Question

I want to change the format of fluentd own logs before sending on stdout. To achieve this, I have captured fluentd logs using label @FLUENT_LOG and then configured a filter to format the logs and then a match with type stdout. Similarly I have log file called alert.log. I want to read the logs of this file and format it with the same filters as above. I tried to use <source> inside the <label @FLUENT_LOG> but it didn't work.

To reproduce:

• To start fluentd process: /usr/sbin/fluentd
• Fluentd configuration: Refer "working configuration" and "not working configuration" section to get the config.

Expected behavior

• Fluentd logs on stdout should display both alert.log file logs and fluentd own logs.
• Only fluentd own logs are displaying.

Fluentd version: 1.16.2

Working configuration

<system>
  <log>
    format json
    time_format %Y-%m-%dT%H:%M:%S%z
  </log>
</system>
<source>
  @type tail
  path /tmp/alertLogs/alert.log
  pos_file /tmp/fluentd.pos
  read_from_head true
  tag alert_logs
  <parse>
    @type json
  </parse>
</source>
<filter alert_logs>
  @type record_modifier
  enable_ruby true
  <record>
    log ${ { message: record["message"]  } }
    type "log"
    level ${record.has_key?("level") ? record["level"]: "unavailable" }
    time ${record.has_key?("time") ? record["time"]: time.strftime('%Y-%m-%dT%H:%M:%S%z') }
  </record>
  remove_keys dummy
</filter>
<match alert_logs>
  @type stdout
</match>
<label @FLUENT_LOG>
  <filter fluent.*>
    @type record_modifier
    enable_ruby true
    <record>
      log ${ { message: record["message"]  } }
      type "log"
      level ${record.has_key?("level") ? record["level"]: "unavailable" }
      time ${record.has_key?("time") ? record["time"]: time.strftime('%Y-%m-%dT%H:%M:%S%z') }
    </record>
    remove_keys dummy
  </filter>
  <match fluent.*>
    @type stdout
  </match>
</label>

Not working configuration

<system>
  <log>
    format json
    time_format %Y-%m-%dT%H:%M:%S%z
  </log>
</system>
<label @FLUENT_LOG>
  <source>
    @type tail
    path /tmp/alertLogs/alert.log
    pos_file /tmp/fluentd.pos
    read_from_head true
    tag alert_logs
    <parse>
      @type json
    </parse>
  </source>
  <filter fluent.* alert_logs>
    @type record_modifier
    enable_ruby true
    <record>
      log ${ { message: record["message"]  } }
      type "log"
      level ${record.has_key?("level") ? record["level"]: "unavailable" }
      time ${record.has_key?("time") ? record["time"]: time.strftime('%Y-%m-%dT%H:%M:%S%z') }
    </record>
    remove_keys dummy
  </filter>
  <match fluent.* alert_logs>
    @type stdout
  </match>
</label>

The problem with working configuration is there is duplication of code of <filter> and <match> section. Is there any way to solve this problem?

Answer 1

thank you for sharing your working configuration, I think you should try to use this syntax for your filter and match section, so that fluentd would understand both tags

<match {fluent.*,alert_logs}>

yet its better to put the alert_logs in another file e.g: alert_logs.conf similar to your working config and include it in your main config, like this:

@include config.d/*.conf