forked from signalfx/splunk-otel-collector-chart
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfigmap-fluentd-cri.yaml
46 lines (43 loc) · 1.63 KB
/
configmap-fluentd-cri.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
---
# Source: splunk-otel-collector/templates/configmap-fluentd-cri.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: default-splunk-otel-collector-fluentd-cri
labels:
app: splunk-otel-collector
chart: splunk-otel-collector-0.31.0
release: default
heritage: Helm
data:
source.containers.parse.conf: |-
@type regexp
expression /^(?<time>.+) (?<stream>stdout|stderr)( (?<partial_flag>[FP]))? (?<log>.*)$/
time_format %Y-%m-%dT%H:%M:%S.%N%:z
output.concat.conf: |-
# = handle cri/containerd multiline format =
<filter tail.containers.var.log.containers.**>
@type concat
key log
partial_key partial_flag
partial_value P
separator ''
timeout_label @SPLUNK
</filter>
output.transform.conf: |-
# extract pod_uid and container_name for CRIO runtime
# currently CRI does not produce log paths with all the necessary
# metadata to parse out pod, namespace, container_name, container_id.
# this may be resolved in the future by this issue: https://github.com/kubernetes/kubernetes/issues/58638#issuecomment-385126031
<filter tail.containers.var.log.pods.**>
@type jq_transformer
jq '.record | . + (.source | capture("/var/log/pods/(?<pod_uid>[^/]+)/(?<container_name>[^/]+)/(?<container_retry>[0-9]+).log")) | .sourcetype = ("kube:container:" + .container_name)'
</filter>
# rename pod_uid and container_name to otel semantics.
<filter tail.containers.var.log.pods.**>
@type record_transformer
<record>
k8s.pod.uid ${record["pod_uid"]}
k8s.container.name ${record["container_name"]}
</record>
</filter>