I have a k8s logging stack set up like this: fluent-bit => fluentd => elastic
I have a working set up with this config:
fluent-bit.conf
[SERVICE]
Daemon Off
Parsers_File custom_parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
Health_Check On
[INPUT]
Name tail
Path /var/log/containers/*.log
DB /var/log/flb_kube.db
Tag kube.*
Refresh_Interval 5
Mem_Buf_Limit 128MB
Buffer_Chunk_Size 64KB
Buffer_Max_Size 128KB
Skip_Long_Lines Off
Parser crio
[FILTER]
Name kubernetes
Match kube.*
Merge_Log On
Keep_Log On
K8S-Logging.Parser On
K8S-Logging.Exclude On
Buffer_Size 256KB
Annotations Off
Labels On
[OUTPUT]
Match kube.*
Name forward
Host fluentd-collector.fluent.svc
Port 24224
tls off
tls.verify off
[OUTPUT]
Match kube.*
Name stdout
#custom_parsers.conf
[PARSER]
Name crio
Format regex
reserve_data true
Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<log>.*)$
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z
Time_Keep On
logs are showing on elastic correctly, and when we have a JSON log coming in crio parsing its just fine.
What im stuck with is, some of our logs have a json inside of a string inside the log key:
[info] [testing 1 of 2] some string here smplog::{"application":"test","abc":"high","version":"0.2.1"}
I'm looking for catching the JSON after smplog:: and parse that.
any help would be appreciated!
