Tail Multiple Sources and Parsing

[Ivan von Nagy]

I have tried various configurations to consume K8s logs and provide multi-line parsing. I was unable to get it working while using Multiline.parser in the Tail Input configuration. However, through the following configuration (see test.config attachment) I was able to get the multi-line parsing working. By moving the parsing into a filter it works properly.

The question I have though is that since the Tail Input uses multiple sources (/var/log/containers/*.log), does the multi-line parsing run the risk of mixing log lines from the different sources. For example, if there are 3 log files being tailed then when the multi-line parser picks up a line does it run the risk of combining multiple lines from another log file?

Thanks,

Ivan