K
Q

Add pod name to event tag in fluentd

9/17/2019

Currently the events are enriched using kubernetes_metadata:

<filter kubernetes.var.log.containers.**>
  @type kubernetes_metadata
</filter>

The current tag is kubernetes.namespace, I want it to be kubernetes.namespace.pod_name

I've added a rewrite_tag_filter but it doesn't work, and worse than that, it drops all the events:

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key $['kubernetes']['pod_name']
    pattern ^(.+)$
    tag ${tag}.$1
  </rule>
</match>

I added @type stdout and the event does have ['kubernetes']['pod_name'] so I guess that's not the issue

update: I've also tried the suggested answer and added:

<filter kubernetes.**>
  @type record_transformer
  enable_ruby
  <record>
    # For future retagging.
    kubernetes_tag ${"kubernetes.%s.%s" % [record["kubernetes"]["namespace_name"], record["kubernetes"]["container_name"]]}
  </record>
</filter>

At this point, I've printed out the event to stdout and it does contain a property named kubernetes_tag with the namespace_name and the container_name chained.
Now I've added the rewrite_tag_filter block:

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key     kubernetes_tag
    pattern ^(.+)$
    tag     $1
  </rule>
</match>

From this point on, no events are coming through and nothing is printed out, as if all events are dropped. Similarly to what I experienced at first.

-- SagiLow
fluentd
kubernetes

Similar Questions

How can I collect the pod logs using fluentd and send the logs to elasticsearch?
HPA Implementation on single node kubernetes cluster
RabbitMQ on Kubernetes kubernetes.default.svc.cluster.local tls qlert
Kubernetes - ExternalIP vs InternalIP

2 Answers

10/15/2019

Are you sure the current tag is namespace? You could try to check it in two steps:

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key kubernetes.namespace_name
    pattern ^(?!\s*$).+
    tag kubernetes.$1
  </rule>
</match>

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key kubernetes.pod_name
    pattern ^(?!\s*$).+
    tag ${tag}.$1
  </rule>
</match>

Also, I have changed the regex to non blank whitespaces strings.

-- Pedreiro
Source: StackOverflow
9/19/2019

I used this:

<filter kube.**>
  @type record_transformer
  enable_ruby
  <record>
    # For future retagging.
    kubernetes_tag ${"kubernetes.%s.%s.%s" % [record["kubernetes"]["namespace_name"], record["kubernetes"]["labels"]["app"] || record["kubernetes"]["labels"]["k8s-app"] || record["kubernetes"]["labels"]["name"] || "unspecified-app-label", record["kubernetes"]["container_name"]]}
  </record>
</filter>

# Retag using the new field
<match kube.**>
  @type rewrite_tag_filter
  <rule>
    key     kubernetes_tag
    pattern ^(.+)$
    tag     $1
  </rule>
</match>

I don't suggest to use pod name alone in a tag, because often pod has multiple containers each with own logging schema. I use namespace_name + container_name in tag instead.

-- Max Lobur
Source: StackOverflow