我在 Kubernetes 中使用 fluent-bit 将日志转发到 Splunk。我们将为多个 Kubernetes 集群使用相同的 Splunk 索引,所以我想用它来自的集群标记从 fluent-bit 转发的每个事件。
我尝试使用修改功能在事件中“添加”或“设置”一个新字段。
fluent-bit-filter.conf: |-
[FILTER]
Name kubernetes
Match kube.*
Kube_Tag_Prefix kube.var.log.containers.
Kube_URL https://kubernetes.default.svc:443
Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token
K8S-Logging.Parser On
K8S-Logging.Exclude On
Add cluster devcluster
我实际收到的示例日志(缺少新添加的字段“集群”)
[305] kube.var.log.containers.calico-node-xzwnv_kube-system_calico-node-a4a6a2261a76ec419e9cf13ae39732b3e918726573cf1a0dece648e679011578.log: [1565578883.799679612, {"log"=>"2019-08-12 03:01:23.799 [INFO][68] int_dataplane.go 830: Received interface update msg=&intdataplane.ifaceUpdate{Name:"cali5d1a7318787", State:"up"}