I would like to annotate some kubernetes pods with an annotation like please_log_with_parser: myparser and have something like fluentbit to only process the logs of those pods with the given parser to our elastic search cluster.
For fluentbit I'm only aware of annotation fluentbit.io/exclude, but that would result in having to annotate all other pods. - Is is possible to tell fluentbit to only process logs having a label, or otherwise discarding all messages without the proper annotation?
Is there maybe an alternative to fluentbit, which is able to do so?
One option is using a combination of kubernetes, nest, and grep filter like in this example.
You use the kubernetes filter to create metadata like this:
{
"kubernetes": {
"pod_name": "myapp-0",
"namespace_name": "default",
"pod_id": "216cd7ae-1c7e-11e8-bb40-000c298df552",
"annotations": {
"please_log_with_parser": "myparser"
},
"host": "minikube",
"container_name": "myapp",
"docker_id": "370face382c7603fdd309d8c6aaaf434fd98b92421ce7c7c8aafe7697d4aa362"
}
}
Then use nest to lift the annotation to the top level. Then use grep to discard only keep the record if that annotation is present.
My helm values now look like this:
rawConfig: |-
@INCLUDE fluent-bit-service.conf
@INCLUDE fluent-bit-input.conf
@INCLUDE fluent-bit-filter.conf
[FILTER]
Name nest
Match *
Operation lift
Nested_under kubernetes
Add_prefix kubernetes_
[FILTER]
Name nest
Match *
Operation lift
Nested_under kubernetes_annotations
Add_prefix kubernetes_annotations_
[FILTER]
Name grep
Match *
Regex kubernetes_annotations_fluentbit.io/parser .*
[FILTER]
Name nest
Match *
Operation nest
Wildcard kubernetes_annotations_*
Nest_under kubernetes_annotations
Remove_prefix kubernetes_annotations_
[FILTER]
Name nest
Match *
Operation nest
Wildcard kubernetes_*
Nest_under kubernetes
Remove_prefix kubernetes_
@INCLUDE fluent-bit-output.conf