Well based on the two issues: issue1 and issue2, it appears that filebeat only collect raw logs but doesn't assign from which source it was collected, thus you have to add event.dataset, see ECS: event.dataset field using processors, like this:
# ....
processors:
- add_cloud_metadata:
- add_host_metadata:
- add_kubernetes_metadata:
- add_fields:
when:
contains:
kubernetes.pod.name: "my-app1"
target: ''
fields:
event:
dataset: my-app1.log
- add_fields:
when:
contains:
kubernetes.pod.name: "my-app2"
target: ''
fields:
event:
dataset: my-app2.log
#- add_field for more pods, etc.
#...