Processing fields with Filebeat via Kubernetes annotations

vicmarbev · March 10, 2020, 3:28pm

Hi, we've been looking into bypassing logstash and send logs directly from filebeat to elasticsearch. As we have a kubernetes deployment, as seen in here we can add annotations to handle things like multiline, excluded lines and modules. My question is: how would I go about handling applying a grok to a log line and extracting fields like timestamp, log level, etc? Is "co.elastic.logs/processors" the annotation for this? If so, how would I define one processor?

Right now in logstash we have (among other things) the following grok:

grok {
match => [ "message",
          "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})\s+%{LOGLEVEL:level} %{NUMBER:pid} --- .+? :\s+(?<logmessage>.*)"
        ]}

What is the equivalent in kubernetes annotation?

dkow · March 11, 2020, 7:54am

Hi @vicmarbev, thanks for your question. We've moved your post to Beats/Filebeat part of Discuss as it's mostly about Filebeat configuration in Kubernetes and not specific to ECK (https://github.com/elastic/cloud-on-k8s).

system · April 8, 2020, 7:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where is add_kubernetes_metadata documented? Beats filebeat	5	2342	July 6, 2018
Moving from ELK to EFK Beats docker , filebeat	3	1200	November 26, 2019
Log Annotation Logstash	3	431	December 8, 2017
Send k8s logs with Filebeat to separate indices Beats filebeat	2	1880	October 30, 2020
Pod annotation co.elastic.logs/pipeline does not work? Beats filebeat	5	427	October 21, 2022

Processing fields with Filebeat via Kubernetes annotations

Related topics