Save entire log message as "raw_message," and output what was "remain…

…der" as "message."

fluentbit.conf

@@ -52,9 +52,14 @@
     match tcp.*
     key_name log
     parser post-with-syslog
-    reserve_data Off
+    reserve_data On
     preserve_key On
 
+[FILTER]
+    name modify
+    match tcp.*
+    Rename log raw_message
+
 # Further filter of the already-extracted fields
 [FILTER]
     name parser
@@ -79,13 +84,14 @@
     key_name message
     parser extract-remainder
     reserve_data On
-    preserve_key On
+    preserve_key Off
 
+# TODO: does this do anything?
 [FILTER]
     name parser
     match tcp.*
-    key_name remainder
-    parser extract-json-object-from-remainder
+    key_name message
+    parser extract-json-object-from-message
     reserve_data On
     preserve_key On
 

parsers.conf

@@ -38,11 +38,11 @@
     # "remainder" is additional log data you might want to write your own parsers for.
     Name extract-remainder
     Format regex
-    Regex /(\[(tags|gauge)@\d+ [^\]]+\])+\s*(?<remainder>.+)/m
+    Regex /(\[(tags|gauge)@\d+ [^\]]+\])+\s*(?<message>.+)/m
 
 [PARSER]
     # Extract probable-json object from remainder. Experimental!
-    Name extract-json-object-from-remainder
+    Name extract-json-object-from-message
     Format regex
     Regex /\d{2}:\d{2}:\d{2} (?<application_ident>\S+)\s+\|\s+(?<application_log>\{.*\})\s*$/m