feat: kubernetes parse json message for some pod

2022-05-28 18:34:30 +02:00 · 2022-05-28 18:34:30 +02:00 · 2dafb5e113
commit 2dafb5e113
parent a9cd4f080a
2 changed files with 28 additions and 4 deletions
--- a/filebeat-docker.yml
+++ b/filebeat-docker.yml
@ -15,10 +15,23 @@ processors:
  - add_docker_metadata:
      host: "unix:///var/run/docker.sock"
  - add_host_metadata: ~
-  - decode_json_fields:
-      fields: ["message"]
-      target: "json"
-      overwrite_keys: true
+  - dissect:
+      tokenizer: '%{nginx.remote_addr} - %{nginx.remote_user} [%{nginx.time}] %{nginx.host} "%{nginx.request}" %{nginx.status|integer} %{nginx.http_referer} "%{nginx.http_user_agent}" %{nginx.http_x_forwarded_for} %{nginx.request_id} "%{nginx.geoip_country_name}" %{nginx.geoip_country_code} %{nginx.geoip_latitude} %{nginx.geoip_longitude}'
+      target_prefix: ""
+      field: "message"
+      when:
+        equals:
+          container.name: nginxfront
+  - timestamp:
+      field: nginx.time
+      target_field: nginx.time
+      layouts:
+        - '02/Jan/2006:15:04:05 -0700'
+      test:
+        - '27/May/2022:21:41:02 +0000'
+      when:
+        equals:
+          container.name: nginxfront

 setup:
  kibana:
--- a/filebeat-kubernetes.yml
+++ b/filebeat-kubernetes.yml
@ -29,6 +29,17 @@ processors:
      format: offset
  - add_kubernetes_metadata:
  - add_host_metadata: ~
+  - decode_json_fields:
+      fields: [ "message" ]
+      target: "message_json"
+      when:
+        or:
+          - equals:
+              kubernetes.container.name: etcd
+          - equals:
+              kubernetes.container.name: kilo
+          - equals:
+              kubernetes.container.name: cfssl-issuer

 setup:
  kibana: