How to parse CRI logs

Hello, (sry for my english) I'm trying to parse CRI logs.
Logs not in JSON format are not parsed.

An example of logs that are parsed correctly
2022-07-15T14:50:51.994932036Z stdout F {"@timestamp":"timestamp","@version":2,"message":"any message","logger_name":"any string","thread_name":"thread name","level":"DEBUG","level_value":10000,"traceId":"id","spanId":"id"}

An example of logs that are not parsed correctly
2022-07-15T13:07:50.109703392Z stdout F "any string"

Config filebeat:

kubernetes.yml: |-
    - type: container
      id : "*"
      stream: stdout
      format: cri
      cri.parse_flags: true #(I have logs over 16kb)
      enabled: true
      symlinks: true
      ignore_older: 24h
        - "/var/log/containers/*.log"
        - add_kubernetes_metadata:
            in_cluster: true
            default_matchers.enabled: false
            - logs_path:
                logs_path: /var/log/containers/
        - dissect:
            tokenizer: "%{parsed}"
            field: "message"
            target_prefix: ""
            overwrite_keys: true
            ignore_missing: true
        - drop_fields:
            fields: ["message"]
        - rename:
              - from: "parsed"
                to: "message"
            ignore_missing: true
            fail_on_error: false
        - decode_json_fields:
            fields: ['message']
            target: json
            max_depth: 1
            overwrite_keys: true

Please tell me what am I doing wrong. Thx

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.