Deploy filebeat with kubernetes provider for autodiscover.
Start pod called elasticsearch with following annotations:
co.elastic.logs.elasticsearch/multiline.pattern: '^\{'
co.elastic.logs.elasticsearch/multiline.negate: 'true'
co.elastic.logs.elasticsearch/multiline.match: 'after'
co.elastic.logs.elasticsearch/multiline.timeout: '5s'
co.elastic.logs.elasticsearch/processors.0.decode_json_fields: '{"fields": ["message"], "target": "json", "add_error_key": true, "max_depth": 10, "expand_keys": true}'
co.elastic.logs.elasticsearch/processors.1.rename: '{"fields": [{"from": "json.message", "to": "message"}, {"from": "json.timestamp", "to": "@timestamp"}, {"from": "json.level", "to": "log.level"}, {"from": "json", "to": "hm.elasticsearch"}], "ignore_missing": true}'
co.elastic.logs.elasticsearch/processors.2.add_fields: '{"target": "", "fields": {"event": {"dataset": "elasticsearch"}}}'
2021-03-04T11:28:16.017Z ERROR [autodiscover] cfgfile/list.go:99 Error creating runner from config: unexpected expand_keys option in processors.0.decode_json_fields
Deploy filebeat with kubernetes provider for autodiscover.
Start pod called
elasticsearchwith following annotations:On filebeat log, we get: