Add k8sevent transform #1691
Add k8sevent transform #1691
Conversation
| stringValue: kube:events | ||
| - key: com.splunk.index | ||
| value: | ||
| stringValue: index_from_pod |
There was a problem hiding this comment.
Events in the resource before this ( e.g. Successfully assigned k8sevents-test/k8sevents-test-0 to kind-control-plane) do not have their index overridden with the annotation value. I think there'll be some ambiguity about the index with the existing config.
For example, an event create Pod in StatefulSet k8sevents-test successful which is associated with the object.kind = statefulset. It does not have a k8s.node.name value (this is set in the receiver to match the source.host so if event is from kubelet about a local pod activity this is set, but other controllers might not add this.. It has the k8s.namespace.name set which is used as source for one of the association rule, but in our test we have no existing pod at the time this event was generated in the test ns. So I think the processor isn't able to add the index value from the namespace (the namespace has the annotaion splunk.com/sourcetype = index_from_namespace) and it remains main in this test.
| - conditions: | ||
| - resource.attributes["k8s.object.kind"] == "Pod" and IsMatch(resource.attributes["k8s.object.fieldpath"], "spec\\.containers.*") | ||
| statements: | ||
| - merge_maps(resource.cache, ExtractPatterns(resource.attributes["k8s.object.fieldpath"], "spec.containers\\{(?P<k8s_container_name>[^\\}]+)\\}"), "insert") |
There was a problem hiding this comment.
named capture group errors when . are used, so I am writing to cache and then setting the attribute in next step
jinja2
force-pushed
the
add-k8sevent-transform
branch
from
1ec2555 to
9aa840f
Compare
Description:
For the option,
clusterReceiver.eventsEnabled, the logs pipeline for k8s_events now adds attributes of the typek8s.<objectkind>.nameandk8s.<objectkind>.uid.Link to Splunk idea: <Link to Splunk idea, see https://ideas.splunk.com>
Testing:
Documentation: