After much exploration, it seems that the coredns ingester will not work by default, because it is expecting a leading timestamp that is not there with the default coredns / docker logging.
Here is how I solved it:
sed -i'' -e "s,%{timestamp} ,,g" module/coredns/log/ingest/pipeline-plaintext.json
sed -i'' -e "s,%{timestamp} ,,g" module/coredns/log/ingest/pipeline-json.json
sed -i'' -e 's,"ignore_failure" : true,"if": "ctx.timestamp != null",g' module/coredns/log/ingest/pipeline-entry.json
This removes the timestamp entry from the ingester (must be applied in your logbeat config / image).
Also, your labels seem wrong. Coredns does not have "access" and "error", just "log".
Here are working labels for me (assuming the above patch as well):
Thanks for this. You should get a double bonus for a reply using sed. I hadn't seen sed used with commas before, so that's another bonus point.
While investigating this I found a comment on coredns forum that removed the timestamp due to it being displayed doublely when using some logging mechanism. I guess this is all a moving target and difficult to keep everthing up to date.
In the end I copied the coredns module config from the current filebeat image docker container, made your changes to my local config, and then mount those files again into filebeat container.
For those in similar situation, useful commands to run. (where coredns is your container name, or use its id) :
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.