Parser plugin docs updates (#2371)

eschabell · web-flow · commit 6e7d8e93fcb7 · 2026-02-10T09:50:48.000Z
* docs: parsers: configuring-parser: improve config parameter table - Sort parameter table alphabetically - Add Default column with values for each parameter - Add missing logfmt_no_bare_keys parameter - Add missing mysql_quoted decoder type to decode_field and decode_field_as - Fix Time_System_timezone case to time_system_timezone - Lowercase all parameter names to match repo YAML convention - Remove inaccurate format restriction on types parameter Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: decoders: improve structure and config tables - Restructure sections to Configuration parameters before Examples - Sort decoder options table alphabetically - Sort optional actions table alphabetically - Add missing mysql_quoted decoder type - Lowercase parameter references to match repo YAML convention Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: json: add link to configuring-parser Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: logfmt: add config parameter table and link - Add link to configuring-parser for common parameters - Add format-specific parameter table for logfmt_no_bare_keys Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: regular-expression: fix config table and formatting - Add link to configuring-parser for common parameters - Lowercase skip_empty_values and its default to match repo convention - Fix {% end hint %} to {% endhint %} Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: multiline-parsing: add missing parameters - Add key_group parameter for stream grouping - Add key_pattern parameter for alternative match field Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> * docs: parsers: ltsv: add link to configuring-parser Applies to #2370 Signed-off-by: Eric D. Schabell <eric@schabell.org> --------- Signed-off-by: Eric D. Schabell <eric@schabell.org>
diff --git a/pipeline/parsers/configuring-parser.md b/pipeline/parsers/configuring-parser.md
@@ -12,21 +12,22 @@ To define a custom parser, add an entry to the [`parsers` section](../../adminis
 
 Custom parsers support the following configuration parameters:
 
-| Key | Description |
-| --- | ----------- |
-| `Name` | Sets the name of your parser. |
-| `Format` | Specifies the format of the parser. Possible options: [`json`](json.md), [`regex`](regular-expression.md), [`ltsv`](ltsv.md), or [`logfmt`](logfmt.md). |
-| `Regex` | Required for parsers with the `regex` format. Specifies the Ruby regular expression for parsing and composing the structured message. |
-| `Time_Key` | If the log entry provides a field with a timestamp, this option specifies the name of that field. |
-| `Time_Format` | Specifies the format of the time field so it can be recognized and analyzed properly. Fluent Bit uses `strptime(3)` to parse time. See the [`strptime` documentation](https://linux.die.net/man/3/strptime) for available modifiers. The `%L` field descriptor is supported for fractional seconds. |
-| `Time_Offset` | Specifies a fixed UTC time offset (such as `-0600` or `+0200`) for local dates. |
-| `Time_Keep` | If enabled, when a time key is recognized and parsed, the parser will keep the original time key. If disabled, the parser will drop the original time field. |
-| `Time_System_timezone` | If there is no time zone (`%z`) specified in the given `Time_Format`, enabling this option will make the parser detect and use the system's configured time zone. The configured time zone is detected from the [`TZ` environment variable](https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html). |
-| `Types` | Specifies the data type of parsed field. The syntax is `types <field_name_1>:<type_name_1> <field_name_2>:<type_name_2> ...`. The supported types are `string` (default), `integer`, `bool`, `float`, `hex`. The option is supported by `ltsv`, `logfmt` and `regex`. |
-| `Decode_Field` | If the content can be decoded in a structured message, append the structured message (keys and values) to the original log message. Decoder types: `json`, `escaped`, `escaped_utf8`. The syntax is: `Decode_Field <decoder_type> <field_name>`. See [Decoders](decoders.md) for additional information. |
-| `Decode_Field_As` | Any decoded content (unstructured or structured) will be replaced in the same key/value, and no extra keys are added. Decoder types: `json`, `escaped`, `escaped_utf8`. The syntax is: `Decode_Field_As <decoder_type> <field_name>`. See [Decoders](decoders.md) for additional information. |
-| `Skip_Empty_Values` | Specifies a boolean which determines if the parser should skip empty values. The default is `true`. |
-| `Time_Strict` | The default value (`true`) tells the parser to be strict with the expected time format. With this option set to false, the parser will be permissive with the format of the time. You can use this when the format expects time fraction but the time to be parsed doesn't include it.  |
+| Key | Description | Default |
+| --- | ----------- | ------- |
+| `decode_field` | If the content can be decoded in a structured message, append the structured message (keys and values) to the original log message. Decoder types: `json`, `escaped`, `escaped_utf8`, `mysql_quoted`. The syntax is: `decode_field <decoder_type> <field_name>`. See [Decoders](decoders.md) for additional information. | _none_ |
+| `decode_field_as` | Any decoded content (unstructured or structured) will be replaced in the same key/value, and no extra keys are added. Decoder types: `json`, `escaped`, `escaped_utf8`, `mysql_quoted`. The syntax is: `decode_field_as <decoder_type> <field_name>`. See [Decoders](decoders.md) for additional information. | _none_ |
+| `format` | Specifies the format of the parser. Possible options: [`json`](json.md), [`regex`](regular-expression.md), [`ltsv`](ltsv.md), or [`logfmt`](logfmt.md). | _none_ |
+| `logfmt_no_bare_keys` | If enabled, the `logfmt` parser rejects log entries where keys don't have associated values (bare keys). Only applies to the `logfmt` format. | `false` |
+| `name` | Sets the name of your parser. | _none_ |
+| `regex` | Required for parsers with the `regex` format. Specifies the Ruby regular expression for parsing and composing the structured message. | _none_ |
+| `skip_empty_values` | Specifies a boolean which determines if the parser should skip empty values. | `true` |
+| `time_format` | Specifies the format of the time field so it can be recognized and analyzed properly. Fluent Bit uses `strptime(3)` to parse time. See the [`strptime` documentation](https://linux.die.net/man/3/strptime) for available modifiers. The `%L` field descriptor is supported for fractional seconds. | _none_ |
+| `time_keep` | If enabled, when a time key is recognized and parsed, the parser will keep the original time key. If disabled, the parser will drop the original time field. | `false` |
+| `time_key` | If the log entry provides a field with a timestamp, this option specifies the name of that field. | _none_ |
+| `time_offset` | Specifies a fixed UTC time offset (such as `-0600` or `+0200`) for local dates. | _none_ |
+| `time_strict` | If `true`, the parser is strict with the expected time format. If `false`, the parser is permissive with the format of the time. Set to `false` when the format expects a time fraction but the time to be parsed doesn't include it. | `true` |
+| `time_system_timezone` | If there is no time zone (`%z`) specified in the given `time_format`, enabling this option will make the parser detect and use the system's configured time zone. The configured time zone is detected from the [`TZ` environment variable](https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html). | `false` |
+| `types` | Specifies the data type of a parsed field. The syntax is `types <field_name_1>:<type_name_1> <field_name_2>:<type_name_2> ...`. The supported types are `string` (default), `integer`, `bool`, `float`, `hex`. | _none_ |
 
 ### Time resolution and fractional seconds
 
diff --git a/pipeline/parsers/decoders.md b/pipeline/parsers/decoders.md
@@ -20,12 +20,43 @@ The original message is handled as an escaped string. Fluent Bit will use the or
 
 Decoders are a built-in feature of parsers in Fluent Bit. Each parser definition can optionally set one or more decoders. Select from one of these decoder types:
 
-- `Decode_Field`: If the content can be decoded in a structured message, append
+- `decode_field`: If the content can be decoded in a structured message, append
   the structured message (keys and values) to the original log message.
-- `Decode_Field_As`: Any decoded content (unstructured or structured) will be
+- `decode_field_as`: Any decoded content (unstructured or structured) will be
   replaced in the same key/value, and no extra keys are added.
 
-For example, the predefined Docker parser has the following definition:
+Each line in the parser with a key `decode_field` instructs the parser to apply a specific decoder on a given field. Optionally, it offers the option to take an extra action if the decoder doesn't succeed.
+
+## Configuration parameters
+
+### Decoder options
+
+| Name | Description |
+| ---- | ----------- |
+| `escaped`      | Decode an escaped string. |
+| `escaped_utf8` | Decode a UTF-8 escaped string. |
+| `json`         | Handle the field content as a JSON map. If the decoder finds a JSON map, it replaces the content with a structured map. |
+| `mysql_quoted` | Decode a MySQL-quoted string. |
+
+### Optional actions
+
+If a decoder fails to decode the field, or if you want to try another decoder, you can define an optional action. Available actions are:
+
+| Name | Description |
+| -----| ----------- |
+| `do_next` | If the decoder succeeded or failed, apply the next decoder in the list for the same field. |
+| `try_next` | If the decoder failed, apply the next decoder in the list for the same field. |
+
+Actions are affected by some restrictions:
+
+- `decode_field_as`: If successful, another decoder of the same type and the same field can be applied only if the data continues being an unstructured message (raw text).
+- `decode_field`: If successful, can be applied only once for the same field. `decode_field` is intended to decode a structured message.
+
+## Examples
+
+### Docker parser
+
+The predefined Docker parser has the following definition:
 
 {% tabs %}
 {% tab title="parsers.yaml" %}
@@ -60,33 +91,7 @@ parsers:
 {% endtab %}
 {% endtabs %}
 
-Each line in the parser with a key `Decode_Field` instructs the parser to apply a specific decoder on a given field. Optionally, it offers the option to take an extra action if the decoder doesn't succeed.
-
-### Decoder options
-
-| Name           | Description |
-| -------------- | ----------- |
-| `json`         | Handle the field content as a JSON map. If the decoder finds a JSON map, it replaces the content with a structured map. |
-| `escaped`      | Decode an escaped string. |
-| `escaped_utf8` | Decode a UTF8 escaped string. |
-
-### Optional actions
-
-If a decoder fails to decode the field, or if you want to try another decoder, you can define an optional action. Available actions are:
-
-| Name | Description |
-| -----| ----------- |
-| `try_next` | If the decoder failed, apply the next decoder in the list for the same field. |
-| `do_next` | If the decoder succeeded or failed, apply the next decoder in the list for the same field. |
-
-Actions are affected by some restrictions:
-
-- `Decode_Field_As`: If successful, another decoder of the same type and the same field can be applied only if the data continues being an unstructured message (raw text).
-- `Decode_Field`: If successful, can be applied only once for the same field. `Decode_Field` is intended to decode a structured message.
-
-### Examples
-
-#### `escaped_utf8`
+### `escaped_utf8`
 
 Example input from `/path/to/log.log`:
 
@@ -172,7 +177,7 @@ parsers:
   Format      json
   Time_Key    time
   Time_Format %Y-%m-%dT%H:%M:%S %z
-  Decode_Field_as escaped_utf8 log
+  Decode_Field_As escaped_utf8 log
 ```
 
 {% endtab %}
diff --git a/pipeline/parsers/json.md b/pipeline/parsers/json.md
@@ -2,6 +2,8 @@
 
 Use the _JSON_ parser format to create custom parsers compatible with JSON data. This format transforms JSON logs by converting them to internal binary representations.
 
+For available configuration parameters, see [Configuring custom parsers](configuring-parser.md).
+
 For example, the default parsers configuration file includes a parser for parsing Docker logs (when the Tail input plugin is used):
 
 {% tabs %}
diff --git a/pipeline/parsers/logfmt.md b/pipeline/parsers/logfmt.md
@@ -2,6 +2,16 @@
 
 Use the _logfmt_ parser format to create custom parsers compatible with [logfmt](https://pkg.go.dev/github.com/kr/logfmt?utm_source=godoc) data.
 
+For available configuration parameters, see [Configuring custom parsers](configuring-parser.md).
+
+## Configuration parameters
+
+The `logfmt` parser supports the following format-specific configuration parameter:
+
+| Key | Description | Default |
+| --- | ----------- | ------- |
+| `logfmt_no_bare_keys` | If enabled, the parser rejects log entries where keys don't have associated values (bare keys). | `false` |
+
 The following example shows a custom parser that uses the `logfmt` format:
 
 {% tabs %}
diff --git a/pipeline/parsers/ltsv.md b/pipeline/parsers/ltsv.md
@@ -2,6 +2,8 @@
 
 Use the _LTSV_ parser format to create custom parsers compatible with [Labeled Tab-separated Values (LTSV)](http://ltsv.org/) data.
 
+For available configuration parameters, see [Configuring custom parsers](configuring-parser.md).
+
 LTSV is a variant of the Tab-separated Values (TSV) format. Each record in an LTSV file is represented as a single line. Each field is separated by a tab and has a label and a value. The label and its value are separated by a colon (`:`).
 
 Here is an example how to use this format in the Apache access log.
diff --git a/pipeline/parsers/multiline-parsing.md b/pipeline/parsers/multiline-parsing.md
@@ -40,6 +40,8 @@ To define a custom multiline parser, add an entry to the [`multiline_parsers` se
 | -------- | ----------- | ------- |
 | `flush_timeout` | Timeout in milliseconds to flush a non-terminated multiline buffer. | `4s` |
 | `key_content`   | For an incoming structured message, specify the key that contains the data that should be processed by the regular expression and possibly concatenated. | _none_ |
+| `key_group`     | For an incoming structured message, specify the key used as a grouping identifier. Lines with different values for this key are treated as separate streams. For example, Docker and CRI logs use the `stream` field to distinguish `stdout` from `stderr`. | _none_ |
+| `key_pattern`   | For an incoming structured message, specify an alternative key to apply matching rules against, separate from `key_content`. Use to match against one field while concatenating content from another. | _none_ |
 | `match_string`  | String to match against for `endswith` or `equal` types. Not used for `regex` type. | _none_ |
 | `name` | Specify a unique name for the multiline parser definition. A good practice is to prefix the name with the word `multiline_` to avoid confusion with normal parser definitions. | _none_ |
 | `negate`        | Negate the pattern matching result. When set to `true`, a non-matching line is treated as matching. | `false` |
diff --git a/pipeline/parsers/regular-expression.md b/pipeline/parsers/regular-expression.md
@@ -8,17 +8,19 @@ Use [Tail multiline](../inputs/tail.md#multiline) when you need to support regul
 
 This parser uses Onigmo, which is a backtracking regular expression's engine. When using complex regular expression patterns, Onigmo can take a long time to perform pattern matching. This can cause a [regular expression denial of service (ReDoS)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS).
 
-{% end hint %}
+{% endhint %}
 
 Setting the format to regular expressions requires a `regex` configuration key.
 
+For available configuration parameters, see [Configuring custom parsers](configuring-parser.md).
+
 ## Configuration parameters
 
-The `regex` parser supports the following configuration parameters:
+The `regex` parser supports the following format-specific configuration parameter:
 
-| Key | Description | Default Value |
-| --- | ----------- | ------------- |
-| `Skip_Empty_Values` | If enabled, the parser ignores empty value of the record. | `True` |
+| Key | Description | Default |
+| --- | ----------- | ------- |
+| `skip_empty_values` | If enabled, the parser ignores empty values of the record. | `true` |
 
 Fluent Bit uses the [Onigmo](https://github.com/k-takata/Onigmo) regular expression library in Ruby mode.
 
