From 10300783f176c49fc99e6e4c7b829002adc56191 Mon Sep 17 00:00:00 2001 From: Adrian Lopez Date: Thu, 14 Jun 2018 09:52:01 +0200 Subject: [PATCH 1/2] Doc how to parse telegraf logs --- plugins/inputs/logparser/README.md | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/plugins/inputs/logparser/README.md b/plugins/inputs/logparser/README.md index 7a1df8bc8fc6a..3e0c8a918087a 100644 --- a/plugins/inputs/logparser/README.md +++ b/plugins/inputs/logparser/README.md @@ -213,6 +213,48 @@ A multi-line literal string allows us to encode the pattern: custom_patterns = 'UNICODE_ESCAPE (?:\\u[0-9A-F]{4})+' ``` +#### Parsing Telegraf log file +We can use logparser to convert the log lines generated by Telegraf in metrics. + +To do this we need to configure Telegraf to write logs to a file (if we have systemd, by +default, it will be written to journald): +```toml +[agent] + logfile = "/var/log/telegraf/telegraf.log" +``` + +Logparser configuration: +```toml +[[inputs.logparser]] + files = ["/var/log/telegraf/telegraf.log"] + + [inputs.logparser.grok] + measurement = "telegraf_log" + patterns = ['\A%{TIMESTAMP_ISO8601:timestamp:ts-rfc3339} %{TELEGRAF_LOG_LEVEL:level:tag}! %{GREEDYDATA:msg}'] + custom_patterns = ''' +TELEGRAF_LOG_LEVEL (?:[DIWE]+) +''' +``` + +Example log lines: +``` +2018-06-14T06:41:35Z I! Starting Telegraf v1.6.4 +2018-06-14T06:41:35Z I! Agent Config: Interval:3s, Quiet:false, Hostname:"archer", Flush Interval:3s +2018-02-20T22:39:20Z E! Error in plugin [inputs.docker]: took longer to collect than collection interval (10s) +2018-06-01T10:34:05Z W! Skipping a scheduled flush because there is already a flush ongoing. +2018-06-14T07:33:33Z D! Output [file] buffer fullness: 0 / 10000 metrics. +``` + +Generated metrics: +``` +telegraf_log,host=somehostname,level=I msg="Starting Telegraf v1.6.4" 1528958495000000000 +telegraf_log,host=somehostname,level=I msg="Agent Config: Interval:3s, Quiet:false, Hostname:\"somehostname\", Flush Interval:3s" 1528958495001000000 +telegraf_log,host=somehostname,level=E msg="Error in plugin [inputs.docker]: took longer to collect than collection interval (10s)" 1519166360000000000 +telegraf_log,host=somehostname,level=W msg="Skipping a scheduled flush because there is already a flush ongoing." 1527849245000000000 +telegraf_log,host=somehostname,level=D msg="Output [file] buffer fullness: 0 / 10000 metrics." 1528961613000000000 +``` + + ### Tips for creating patterns Writing complex patterns can be difficult, here is some advice for writing a From 11f16f1e2f50a2be6fb314adcff970127c11236e Mon Sep 17 00:00:00 2001 From: Adrian Lopez Date: Fri, 15 Jun 2018 12:33:18 +0200 Subject: [PATCH 2/2] Syslog could be used to generate a telegraf.log file. Fix regex to use 'beginning of line' instead of 'beginning of text' --- plugins/inputs/logparser/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/inputs/logparser/README.md b/plugins/inputs/logparser/README.md index 3e0c8a918087a..f75cb49230e9e 100644 --- a/plugins/inputs/logparser/README.md +++ b/plugins/inputs/logparser/README.md @@ -216,8 +216,8 @@ A multi-line literal string allows us to encode the pattern: #### Parsing Telegraf log file We can use logparser to convert the log lines generated by Telegraf in metrics. -To do this we need to configure Telegraf to write logs to a file (if we have systemd, by -default, it will be written to journald): +To do this we need to configure Telegraf to write logs to a file. +This could be done using the ``agent.logfile`` parameter or configuring syslog. ```toml [agent] logfile = "/var/log/telegraf/telegraf.log" @@ -230,7 +230,7 @@ Logparser configuration: [inputs.logparser.grok] measurement = "telegraf_log" - patterns = ['\A%{TIMESTAMP_ISO8601:timestamp:ts-rfc3339} %{TELEGRAF_LOG_LEVEL:level:tag}! %{GREEDYDATA:msg}'] + patterns = ['^%{TIMESTAMP_ISO8601:timestamp:ts-rfc3339} %{TELEGRAF_LOG_LEVEL:level:tag}! %{GREEDYDATA:msg}'] custom_patterns = ''' TELEGRAF_LOG_LEVEL (?:[DIWE]+) '''