ClusterLogDestination

Scope: Cluster
Version: v1alpha1

Describes setting for a log storage, which you can use in many log sources.

metadata.name — is an upstream name, which you should use in custom resource ClusterLoggingConfig.

  • spec
    object

    Required value

    • spec.buffer
      object

      Buffer parameters.

      • spec.buffer.disk
        object

        Disk buffer parameters.

        • spec.buffer.disk.maxSize
          integer or string

          The maximum size of the buffer on disk. Must be at least ~256MB (268435488 bytes).

          You can express size as a plain integer or as a fixed-point number using one of these quantity suffixes: E, P, T, G, M, k, Ei, Pi, Ti, Gi, Mi, Ki.

          More about resource quantity:

          Pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

          Examples:

          maxSize: 512Mi

          maxSize: 268435488
      • spec.buffer.memory
        object
        • spec.buffer.memory.maxEvents
          number

          The maximum number of events allowed in the buffer.

      • spec.buffer.type
        string

        Required value

        The type of buffer to use.

        Allowed values: Disk, Memory

      • spec.buffer.whenFull
        string

        Event handling behavior when a buffer is full.

        Default: "Block"

        Allowed values: DropNewest, Block

    • spec.elasticsearch
      object
      • spec.elasticsearch.auth
        object
        • spec.elasticsearch.auth.awsAccessKey
          string

          Base64-encoded AWS ACCESS_KEY.

        • spec.elasticsearch.auth.awsAssumeRole
          string

          The ARN of an IAM role to assume at startup.

        • spec.elasticsearch.auth.awsRegion
          string

          AWS region for authentication.

        • spec.elasticsearch.auth.awsSecretKey
          string

          Base64-encoded AWS SECRET_KEY.

        • spec.elasticsearch.auth.password
          string

          Base64-encoded Basic authentication password.

        • spec.elasticsearch.auth.strategy
          string

          The authentication strategy to use.

          Default: "Basic"

          Allowed values: Basic, AWS

        • spec.elasticsearch.auth.user
          string

          The Basic authentication user name.

      • spec.elasticsearch.dataStreamEnabled
        boolean

        Use for storage indexes or datastreams (https://www.elastic.co/guide/en/elasticsearch/reference/master/data-streams.html).

        Datastream usage is better for logs and metrics storage but they works only for Elasticsearch >= 7.16.X.

        Default: false

      • spec.elasticsearch.docType
        string

        The doc_type for your index data. This is only relevant for Elasticsearch <= 6.X.

        • For Elasticsearch >= 7.X you do not need this option since this version has removed doc_type mapping;
        • For Elasticsearch >= 6.X the recommended value is _doc, because using it will make it easy to upgrade to 7.X;
        • For Elasticsearch < 6.X you can’t use a value starting with _ or empty string. Use, for example, values like logs.
      • spec.elasticsearch.endpoint
        string

        Required value

        Base URL of the Elasticsearch instance.

      • spec.elasticsearch.index
        string

        Index name to write events to.

      • spec.elasticsearch.pipeline
        string

        Name of the pipeline to apply.

      • spec.elasticsearch.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.elasticsearch.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.elasticsearch.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.elasticsearch.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.elasticsearch.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.elasticsearch.tls.clientCrt.keyPass
            string

            Base64-encoded pass phrase used to unlock the encrypted key file.

        • spec.elasticsearch.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host. Specifically the issuer is checked but not CRLs (Certificate Revocation Lists).

          Default: true

        • spec.elasticsearch.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

    • spec.extraLabels
      object

      A set of labels that will be attached to each batch of events.

      You can use simple templating here: {{ app }}.

      There are some reserved keys:

      • parsed_data
      • pod
      • pod_labels_*
      • pod_ip
      • namespace
      • image
      • container
      • node
      • pod_owner

      More about field path notation…

      Example:

      extraLabels:
  forwarder: vector
  key: value
  app_info: "{{ app }}"
  array_member: "{{ array[0] }}"
  symbol_escating_value: "{{ pay\\.day }}"
    • spec.kafka
      object
      • spec.kafka.bootstrapServers
        array of strings

        Required value

        A list of host and port pairs that are the addresses of the Kafka brokers in a “bootstrap” Kafka cluster that a Kafka client connects to initially to bootstrap itself.

        Default: []

        Example:

        bootstrapServers:
- 10.14.22.123:9092
- 10.14.23.332:9092
        • Element of the array
          string

          Pattern: ^(.+)\:\d{1,5}$

      • spec.kafka.encoding
        object

        How to encode the message.

        • spec.kafka.encoding.codec
          string

          Default: "JSON"

          Allowed values: JSON, CEF

      • spec.kafka.keyField
        string

        Allows to set the key_field.

        Examples:

        keyField: host

        keyField: node

        keyField: namespace

        keyField: parsed_data.app_info
      • spec.kafka.sasl
        object

        Configuration for SASL authentication when interacting with Kafka.

        • spec.kafka.sasl.mechanism
          string

          Required value

          The SASL mechanism to use. Only PLAIN and SCRAM-based mechanisms are supported.

          Allowed values: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512

        • spec.kafka.sasl.password
          string

          Required value

          The SASL password.

          Example:

          password: qwerty
        • spec.kafka.sasl.username
          string

          Required value

          The SASL username.

          Example:

          username: username
      • spec.kafka.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.kafka.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.kafka.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.kafka.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.kafka.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.kafka.tls.clientCrt.keyPass
            string

            Base64-encoded pass phrase used to unlock the encrypted key file.

        • spec.kafka.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host.

          Default: true

        • spec.kafka.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

      • spec.kafka.topic
        string

        Required value

        The Kafka topic name to write events to. This parameter supports template syntax, which enables you to use dynamic per-event values.

        Examples:

        topic: logs

        topic: logs-{{unit}}-%Y-%m-%d
    • spec.logstash
      object
      • spec.logstash.endpoint
        string

        Required value

        Base URL of the Logstash instance.

      • spec.logstash.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.logstash.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.logstash.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.logstash.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.logstash.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.logstash.tls.clientCrt.keyPass
            string

            Base64-encoded pass phrase used to unlock the encrypted key file.

        • spec.logstash.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host.

          Default: true

        • spec.logstash.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

    • spec.loki
      object
      • spec.loki.auth
        object
        • spec.loki.auth.password
          string

          Base64-encoded Basic authentication password.

        • spec.loki.auth.strategy
          string

          The authentication strategy to use.

          Default: "Basic"

          Allowed values: Basic, Bearer

        • spec.loki.auth.token
          string

          The token to use for Bearer authentication.

        • spec.loki.auth.user
          string

          The Basic authentication user name.

      • spec.loki.endpoint
        string

        Required value

        Base URL of the Loki instance.

        Agent automatically adds /loki/api/v1/push into URL during data transmission.

      • spec.loki.tenantID
        string

        ID of a tenant.

        This option is used only for GrafanaCloud. When running Loki locally, a tenant ID is not required.

      • spec.loki.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.loki.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.loki.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.loki.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.loki.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.loki.tls.clientCrt.keyPass
            string

            Base64-encoded pass phrase used to unlock the encrypted key file.

        • spec.loki.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host.

          If set to false, the certificate is not checked in the Certificate Revocation Lists.

          Default: true

        • spec.loki.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

    • spec.rateLimit
      object

      Parameter for limiting the flow of events.

      • spec.rateLimit.excludes
        array of objects

        List of excludes for keyField.

        Only NOT matched log entries would be rate limited.

        Examples:

        excludes:
  field: tier
  operator: Exists

        excludes:
  field: foo
  operator: NotIn
  values:
  - dev
  - 42
  - 'true'
  - '3.14'

        excludes:
  field: bar
  operator: Regex
  values:
  - "^abc"
  - "^\\d.+$"
        • spec.rateLimit.excludes.field
          string

          Required value

          Field name for filtering.

        • spec.rateLimit.excludes.operator
          string

          Required value

          Operator for log field comparations:

          • In — finds a substring in a string.
          • NotIn — is a negative version of the In operator.
          • Regex — is trying to match regexp over the field; only log events with matching fields will pass.
          • NotRegex — is a negative version of the Regex operator; log events without fields or with not matched fields will pass.
          • Exists — drops log event if it contains some fields.
          • DoesNotExist — drops log event if it does not contain some fields.

          Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

        • spec.rateLimit.excludes.values
          array

          Array of values or regexes for corresponding operations. Does not work for Exists and DoesNotExist operations.

          Fields a with float or boolean values will be converted to strings during comparison.

      • spec.rateLimit.keyField
        string

        The name of the log field whose value will be hashed to determine if the event should be rate limited.

      • spec.rateLimit.linesPerMinute
        number

        Required value

        The number of records per minute.

    • spec.splunk
      object
      • spec.splunk.endpoint
        string

        Required value

        Base URL of the Splunk instance.

        Example:

        endpoint: https://http-inputs-hec.splunkcloud.com
      • spec.splunk.index
        string

        Index name to write events to.

      • spec.splunk.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.splunk.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.splunk.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.splunk.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.splunk.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.splunk.tls.clientCrt.keyPass
            string

            Base64-encoded pass phrase used to unlock the encrypted key file.

        • spec.splunk.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host.

          Default: true

        • spec.splunk.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

      • spec.splunk.token
        string

        Required value

        Default Splunk HEC token. If an event has a token set in its metadata, it will have priority over the one set here.

    • spec.type
      string

      Type of a log storage backend.

      Allowed values: Loki, Elasticsearch, Logstash, Vector, Kafka, Splunk

    • spec.vector
      object
      • spec.vector.endpoint
        string

        Required value

        An address of the Vector instance. API v2 must be used for communication between instances.

        Pattern: ^(.+):([0-9]{1,5})$

      • spec.vector.tls
        object

        Configures the TLS options for outgoing connections.

        • spec.vector.tls.caFile
          string

          Base64-encoded CA certificate in PEM format.

        • spec.vector.tls.clientCrt
          object

          Configures the client certificate for outgoing connections.

          • spec.vector.tls.clientCrt.crtFile
            string

            Required value

            Base64-encoded certificate in PEM format.

            You must also set the keyFile parameter.

          • spec.vector.tls.clientCrt.keyFile
            string

            Required value

            Base64-encoded private key in PEM format (PKCS#8).

            You must also set the crtFile parameter.

          • spec.vector.tls.clientCrt.keyPass
            string

            Base64-encoded passphrase used to unlock the encrypted key file.

        • spec.vector.tls.verifyCertificate
          boolean

          Validate the TLS certificate of the remote host.

          Default: true

        • spec.vector.tls.verifyHostname
          boolean

          Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.

          Default: true

ClusterLoggingConfig

Scope: Cluster
Version: v1alpha1

Describes a log source in log-pipeline.

Each custom resource ClusterLoggingConfig describes rules for log fetching from cluster.

  • spec
    object

    Required value

    • spec.destinationRefs
      array of strings

      Required value

      Array of ClusterLogDestination custom resource names which this source will output with.

      Fields with float or boolean values will be converted to strings.

    • spec.file
      object

      Describes a rule for collecting logs from files on a node.

      • spec.file.exclude
        array of strings

        Array of file patterns to exclude when collecting logs.

        Wildcards are supported.

        Examples:

        exclude: "/var/log/nginx/error.log"

        exclude: "/var/log/audit.log"
      • spec.file.include
        array of strings

        Array of file patterns to include.

        Wildcards are supported

        Examples:

        include: "/var/log/*.log"

        include: "/var/log/nginx/*.log"
      • spec.file.lineDelimiter
        string

        String sequence used to separate one file line from another.

        Example:

        lineDelimiter: "\\r\\n"
    • spec.kubernetesPods
      object

      Describes a rule for collecting logs from the cluster’s pods.

      • spec.kubernetesPods.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.kubernetesPods.labelSelector.matchExpressions
          array of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
- key: tier
  operator: NotIn
  values:
  - production
          • spec.kubernetesPods.labelSelector.matchExpressions.key
            string

            A label name.

          • spec.kubernetesPods.labelSelector.matchExpressions.operator
            string

            A comparison operator.

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.kubernetesPods.labelSelector.matchExpressions.values
            array of strings

            A label value.

            • Element of the array
              string

              Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

              Length: 1..63

        • spec.kubernetesPods.labelSelector.matchLabels
          object

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.kubernetesPods.namespaceSelector
        object

        Specifies the namespace selector to filter Pods with.

        The filter can use one of the three available ways to set the condition (parameters matchNames, excludeNames, labelSelector)

        • spec.kubernetesPods.namespaceSelector.excludeNames
          array of strings

          A list of namespaces, from the pods of which you need to exclude the collection of logs, but collect from the rest.

        • spec.kubernetesPods.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces from which logs should be collected.

          You can get more into here.

          • spec.kubernetesPods.namespaceSelector.labelSelector.matchExpressions
            array of objects

            List of label expressions that a namespace should have to qualify for the filter condition.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.kubernetesPods.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

              A label name.

            • spec.kubernetesPods.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              A comparison operator.

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.kubernetesPods.namespaceSelector.labelSelector.matchExpressions.values
              array of strings

              A label value.

          • spec.kubernetesPods.namespaceSelector.labelSelector.matchLabels
            object

            List of labels that a namespace should have to qualify for the filter condition.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.kubernetesPods.namespaceSelector.matchNames
          array of strings

          A list of namespaces from whose pods logs should be collected.

    • spec.labelFilter
      array of objects

      Rules to filter log lines by their metadata labels.

      Example:

      labelFilter:
- field: container
  operator: In
  values:
  - nginx
- field: pod_labels.tier
  operator: Regex
  values:
  - prod-.+
  - stage-.+
      • spec.labelFilter.field
        string

        Required value

        Label name for filtering.

        Must not be empty.

        Pattern: .+

      • spec.labelFilter.operator
        string

        Required value

        Operator for log field comparations:

        • In — finds a substring in a string.
        • NotIn — is a negative version of the In operator.
        • Regex — is trying to match regexp over the field; only log events with matching fields will pass.
        • NotRegex — is a negative version of the Regex operator; log events without fields or with not matched fields will pass.
        • Exists — drops log event if it contains some fields.
        • DoesNotExist — drops log event if it does not contain some fields.

        Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

      • spec.labelFilter.values
        array

        Array of values or regexes for corresponding operations. Does not work for Exists and DoesNotExist operations.

        Fields a with float or boolean values will be converted to strings during comparison.

    • spec.logFilter
      array of objects

      A list of filters for logs that are applied to messages in JSON format.

      Only matched lines would be stored to log destination.

      Example:

      logFilter:
- field: tier
  operator: Exists
- field: foo
  operator: NotIn
  values:
  - dev
  - 42
  - 'true'
  - '3.14'
- field: bar
  operator: Regex
  values:
  - "^abc"
  - "^\\d.+$"
      • spec.logFilter.field
        string

        Required value

        Field name for filtering. It should be empty for non-JSON messages.

      • spec.logFilter.operator
        string

        Required value

        Operator for log field comparations:

        • In — finds a substring in a string.
        • NotIn — is a negative version of the In operator.
        • Regex — is trying to match regexp over the field; only log events with matching fields will pass.
        • NotRegex — is a negative version of the Regex operator; log events without fields or with not matched fields will pass.
        • Exists — drops log event if it contains some fields.
        • DoesNotExist — drops log event if it does not contain some fields.

        Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

      • spec.logFilter.values
        array

        Array of values or regexes for corresponding operations. Does not work for Exists and DoesNotExist operations.

        Fields a with float or boolean values will be converted to strings during comparison.

    • spec.multilineParser
      object

      Multiline parser for different patterns.

      • spec.multilineParser.custom
        object

        Multiline parser custom regex rules.

        • spec.multilineParser.custom.endsWhen
          object

          It’s a condition to distinguish the last log line of multiline log.

          • spec.multilineParser.custom.endsWhen.notRegex
            string

            Regex string, which treats as match only strings that DOESN’T match regex.

          • spec.multilineParser.custom.endsWhen.regex
            string

            Regex string, which treats as match only strings that match regex.

        • spec.multilineParser.custom.startsWhen
          object

          It’s a condition to distinguish the first log line of multiline log.

          • spec.multilineParser.custom.startsWhen.notRegex
            string

            Regex string, which treats as match only strings that DOESN’T match regex.

          • spec.multilineParser.custom.startsWhen.regex
            string

            Regex string, which treats as match only strings that match regex.

      • spec.multilineParser.type
        string

        Required value

        Parser types:

        • None — do not parse logs.
        • General — tries to match general multiline logs with space or tabulation on extra lines.
        • Backslash — tries to match bash style logs with backslash on all lines except the last event line.
        • LogWithTime — tries to detect events by timestamp.
        • MultilineJSON — tries to match JSON logs, assuming the event starts with the { symbol.
        • Custom - tries to match logs with the user provided regex in spec.multilineParser.custom field.

        Default: "None"

        Allowed values: None, General, Backslash, LogWithTime, MultilineJSON, Custom

    • spec.type
      string

      Required value

      Set on of possible input sources.

      KubernetesPods source reads logs from Kubernetes Pods.

      File source reads local file from node filesystem.

      Allowed values: KubernetesPods, File

PodLoggingConfig

Scope: Namespaced
Version: v1alpha1

Custom resource for namespaced Kubernetes source.

Each custom resource PodLoggingConfig describes rules for log fetching from specified namespace.

  • spec
    object

    Required value

    • spec.clusterDestinationRefs
      array of strings

      Required value

      Array of ClusterLogDestination custom resource names which this source will output with.

    • spec.labelFilter
      array of objects

      Rules to filter log lines by their metadata labels.

      Example:

      labelFilter:
- field: container
  operator: In
  values:
  - nginx
- field: pod_labels.tier
  operator: Regex
  values:
  - prod-.+
  - stage-.+
      • spec.labelFilter.field
        string

        Required value

        Label name for filtering.

        Must not be empty.

        Pattern: .+

      • spec.labelFilter.operator
        string

        Required value

        Operator for log field comparations:

        • In — finds a substring in a string.
        • NotIn — is a negative version of the In operator.
        • Regex — is trying to match regexp over the field; only log events with matching fields will pass.
        • NotRegex — is a negative version of the Regex operator; log events without fields or with not matched fields will pass.
        • Exists — drops log event if it contains some fields.
        • DoesNotExist — drops log event if it does not contain some fields.

        Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

      • spec.labelFilter.values
        array

        Array of values or regexes for corresponding operations. Does not work for Exists and DoesNotExist operations.

        Fields with a float or boolean values will be converted to strings during comparison.

    • spec.labelSelector
      object

      Specifies the label selector to filter Pods.

      You can get more into here.

      • spec.labelSelector.matchExpressions
        array of objects

        List of label expressions for Pods.

        Example:

        matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
        • spec.labelSelector.matchExpressions.key
          string

          A label name.

        • spec.labelSelector.matchExpressions.operator
          string

          A comparison operator.

          Allowed values: In, NotIn, Exists, DoesNotExist

        • spec.labelSelector.matchExpressions.values
          array of strings

          A label value.

          • Element of the array
            string

            Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

            Length: 1..63

      • spec.labelSelector.matchLabels
        object

        List of labels which Pod should have.

        Example:

        matchLabels:
  foo: bar
  baz: who
    • spec.logFilter
      array of objects

      A list of filters for logs that are applied to messages in JSON format.

      Only matched lines would be stored to log destination.

      Example:

      logFilter:
- field: tier
  operator: Exists
- field: foo
  operator: NotIn
  values:
  - dev
  - 42
  - 'true'
  - '3.14'
- field: bar
  operator: Regex
  values:
  - "^abc"
  - "^\\d.+$"
      • spec.logFilter.field
        string

        Required value

        Field name for filtering. It should be empty for non-JSON messages.

      • spec.logFilter.operator
        string

        Required value

        Operator for log field comparations:

        • In — finds a substring in a string.
        • NotIn — is a negative version of the In operator.
        • Regex — is trying to match regexp over the field; only log events with matching fields will pass.
        • NotRegex — is a negative version of the Regex operator; log events without fields or with not matched fields will pass.
        • Exists — drops log event if it contains some fields.
        • DoesNotExist — drops log event if it does not contain some fields.

        Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

      • spec.logFilter.values
        array

        Array of values or regexes for corresponding operations. Does not work for Exists and DoesNotExist operations.

        Fields a with float or boolean values will be converted to strings during comparison.

    • spec.multilineParser
      object

      Multiline parser for different patterns.

      • spec.multilineParser.custom
        object

        Multiline parser custom regex rules.

        • spec.multilineParser.custom.endsWhen
          object

          It’s a condition to distinguish the last log line of the multiline log.

          • spec.multilineParser.custom.endsWhen.notRegex
            string

            Regex string, which treats as match only strings that DON’T match the regex.

          • spec.multilineParser.custom.endsWhen.regex
            string

            Regex string, which treats as match only strings that match the regex.

        • spec.multilineParser.custom.startsWhen
          object

          It’s a condition to distinguish the first log line of multiline log.

          • spec.multilineParser.custom.startsWhen.notRegex
            string

            Regex string, which treats as match only strings that DON’T match the regex.

          • spec.multilineParser.custom.startsWhen.regex
            string

            Regex string, which treats as match only strings that match the regex.

      • spec.multilineParser.type
        string

        Required value

        Parser types:

        • None — do not parse logs.
        • General — tries to match general multiline logs with space or tabulation on extra lines.
        • Backslash — tries to match bash style logs with backslash on all lines except the last event line.
        • LogWithTime — tries to detect events by timestamp.
        • MultilineJSON — tries to match JSON logs, assuming the event starts with the { symbol.
        • Custom - tries to match logs with the user provided regex in spec.multilineParser.custom field.

        Default: "None"

        Allowed values: None, General, Backslash, LogWithTime, MultilineJSON, Custom