Filelog Receiver Multiline Does Not Split Log Entries

[ztporteous]

Component(s)

receiver/filelog

Describe the issue you're reporting

Implementation of the multiline filelog receiver pattern does not work as expected.

This is an issue experienced across multiple files please see the attached for a specific example.

Here is a snippet of the file being parsed:

Here is the filelog receiver YAML:

Here is the output:

As you can see, despite the multiline start pattern regex matching, the body of the log message contains two log lines from the file. This is due to me writing them both at the same time in this case, however also occurs if the file is created with multiple pre-populated entries. I have experienced the same issue with the SQL Server log file.

The behaviour I'm experiencing is the multiline feature does not split lines by the pattern. It works as intended if new log entries are written one at a time, however if multiple are committed to the file simultaneously, the receiver does not process this and bundles all new lines into one single log entry.

[github-actions]

Pinging code owners:

• receiver/filelog: @djaglowski

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[VihasMakwana]

Thanks for filing this issue. I'll try to reproduce this.

[VihasMakwana]

The issue is with your regex for line_start_pattern.

You're using [A-Z]\d{4} d{2}:\d{2}:\d{2}.\d{6}, but you should be using [A-Z]\d{4} \d{2}:\d{2}:\d{2}.\d{6} (notice the \).

Let me know if it fixes the issue?

[ztporteous]

You are absolutely correct :/
Must've trimmed off at some point when removing the target group name from the regex beneath it..
Apologies! And thank you :)