Skip to content

Instantly share code, notes, and snippets.

@arslanm
Created July 21, 2017 17:46
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save arslanm/f9662c7db400587fa362ccb15d0b18a0 to your computer and use it in GitHub Desktop.
Logstash filter for filebeat
filter {
# ...
# logs delivered by filebeat
if [program] == "filebeat_k8s" {
mutate {
rename => { "log" => "message" }
}
date {
match => ["time", "ISO8601"]
remove_field => ["time"]
}
grok {
match => { "source" => "/var/log/containers/%{DATA:k8s_pod}_%{DATA:k8s_namespace}_%{GREEDYDATA:k8s_service}-%{DATA:k8s_container_id}.log" }
remove_field => ["source"]
}
}
# ...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment