Yep, that's possible using two different templates for the same container and route logs based on whether or not they start with {.
Here's an example of how it should work with k8s:
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
templates:
- condition:
contains:
kubernetes.container.name: "my-app-1"
config:
- type: container
paths:
- "/var/log/containers/*-${data.kubernetes.container.id}.log"
include_lines: ['^{']
json.keys_under_root: true
json.overwrite_keys: true
json.add_error_key: true
json.expand_keys: true
- condition:
contains:
kubernetes.container.name: "my-app-1"
config:
- type: container
paths:
- "/var/log/containers/*-${data.kubernetes.container.id}.log"
multiline.pattern: '^[[:blank:]]'
multiline.negate: false
multiline.match: after
exclude_lines: ['^{']
Disclaimer: I have not tested the config. Please let me know if it works for you or if you had to make adjustments.