Hello, (sry for my english) I'm trying to parse CRI logs.
Logs not in JSON format are not parsed.
An example of logs that are parsed correctly
2022-07-15T14:50:51.994932036Z stdout F {"@timestamp":"timestamp","@version":2,"message":"any message","logger_name":"any string","thread_name":"thread name","level":"DEBUG","level_value":10000,"traceId":"id","spanId":"id"}
An example of logs that are not parsed correctly
2022-07-15T13:07:50.109703392Z stdout F "any string"
Config filebeat:
kubernetes.yml: |-
- type: container
id : "*"
stream: stdout
format: cri
cri.parse_flags: true #(I have logs over 16kb)
enabled: true
symlinks: true
ignore_older: 24h
paths:
- "/var/log/containers/*.log"
processors:
- add_kubernetes_metadata:
in_cluster: true
default_matchers.enabled: false
matchers:
- logs_path:
logs_path: /var/log/containers/
- dissect:
tokenizer: "%{parsed}"
field: "message"
target_prefix: ""
overwrite_keys: true
ignore_missing: true
- drop_fields:
fields: ["message"]
- rename:
fields:
- from: "parsed"
to: "message"
ignore_missing: true
fail_on_error: false
- decode_json_fields:
fields: ['message']
target: json
max_depth: 1
overwrite_keys: true
Please tell me what am I doing wrong. Thx