search
SlackGitHubCommunity MeetingsWebinars

Decoder settings

There are cases where the log messages you want to parse contain encoded data. A typical use case can be found in containerized environments with Docker. Docker logs its data in JSON format, which uses escaped strings.

Consider the following message generated by the application:

{"status": "up and running"}

The Docker log message encapsulates something like this:

{"log":"{\"status\": \"up and running\"}\r\n","stream":"stdout","time":"2018-03-09T01:01:44.851160855Z"}

The original message is handled as an escaped string. Fluent Bit will use the original structured message, and not a string.

hashtag
Get started

Decoders are a built-in feature of parsers in Fluent Bit. Each parser definition can optionally set one or more decoders. Select from one of these decoder types:

  • decode_field: If the content can be decoded in a structured message, append the structured message (keys and values) to the original log message.

  • decode_field_as: Any decoded content (unstructured or structured) will be replaced in the same key/value, and no extra keys are added.

Each line in the parser with a key decode_field instructs the parser to apply a specific decoder on a given field. Optionally, it offers the option to take an extra action if the decoder doesn't succeed.

hashtag
Configuration parameters

hashtag
Decoder options

Name
Description

escaped

Decode an escaped string.

escaped_utf8

Decode a UTF-8 escaped string.

json

Handle the field content as a JSON map. If the decoder finds a JSON map, it replaces the content with a structured map.

mysql_quoted

Decode a MySQL-quoted string.

hashtag
Optional actions

If a decoder fails to decode the field, or if you want to try another decoder, you can define an optional action. Available actions are:

Name
Description

do_next

If the decoder succeeded or failed, apply the next decoder in the list for the same field.

try_next

If the decoder failed, apply the next decoder in the list for the same field.

Actions are affected by some restrictions:

  • decode_field_as: If successful, another decoder of the same type and the same field can be applied only if the data continues being an unstructured message (raw text).

  • decode_field: If successful, can be applied only once for the same field. decode_field is intended to decode a structured message.

hashtag
Examples

hashtag
Docker parser

The predefined Docker parser has the following definition:

hashtag
escaped_utf8

Example input from /path/to/log.log:

Example output:

Decoder example Fluent Bit configuration files:

The example parsers file:

PreviousRegular expression formatNextProcessors

Last updated

Was this helpful?