fluent-bit: Modify filter not working with Record Accessors

Bug Report

When using the modify filter to copy nested fields using Record Accessors, the filter fails to find the fields.

To Reproduce

Configuration:

[FILTER]
    Name                modify
    Match               kube.*
    Copy                $kubernetes['labels']['app']    application
    Copy                $kubernetes['labels']['app.kubernetes.io/name'] application
    Copy                $kubernetes['container_name']   application
    Remove              $kubernetes['pod_id']
    Remove              $kubernetes['docker_id']
    Remove              $kubernetes['container_hash']

Fluent Bit debug log

[2022/01/21 14:54:40] [debug] [filter:modify:modify.4] Rule COPY $kubernetes['labels']['app'] TO application : No keys matching $kubernetes['labels']['app'] found, not applying rule
[2022/01/21 14:54:40] [debug] [filter:modify:modify.4] Rule COPY $kubernetes['labels']['app.kubernetes.io/name'] TO application : No keys matching $kubernetes['labels']['app.kubernetes.io/name'] found, not applying rule
[2022/01/21 14:54:40] [debug] [filter:modify:modify.4] Rule COPY $kubernetes['container_name'] TO application : No keys matching $kubernetes['container_name'] found, not applying rule

Output (sent to aws Cloudwatch)

{
    "log": "[14:55:24 INF]  REDACTED",
    "stream": "stdout",
    "time": "2022-01-21T14:55:24.532788648Z",
    "kubernetes": {
        "pod_name": "REDACTED",
        "namespace_name": "REDACTED",
        "pod_id": "723efe40-122a-4b93-960c-f79b09dc583f",
        "labels": {
            "app": "REDACTED",
            "controller-uid": "618de15b-8c23-47a2-8ac8-34cc1d59122d",
            "job-name": "REDACTED",
            "release": "REDACTED"
        },
        "annotations": {
            "kubernetes.io/psp": "eks.privileged"
        },
        "host": "REDACTED",
        "container_name": "REDACTED",
        "docker_id": "59a6665e0e27623e475a49a382e070c63c72b8673e6debcdc63444a455ecb6a9",
        "container_hash": "REDACTED",
        "container_image": "REDACTED"
    }
}

Steps to reproduce the problem:

Expected behavior ‘application’ field should be added to the log structure with the value taken from one of the 3 found fields. $kubernetes[‘pod_id’], $kubernetes[‘docker_id’], $kubernetes[‘container_hash’] should be removed from the log structure.

Your Environment

Version used: Latest
Configuration:

[FILTER]
    Name                kubernetes
    Match               kube.*
    Merge_Log           On
    Keep_Log            Off
    K8S-Logging.Parser  On
    K8S-Logging.Exclude On

[FILTER]
    Name                expect
    Match               kube.*
    key_exists          kubernetes
    key_exists          log
    action              exit

[FILTER]
    Name                grep
    Match               kube.*
    Exclude             $kubernetes['namespace_name']   kube-system

[FILTER]
    Name                stdout
    Match               kube.*

[FILTER]
    Name                modify
    Match               kube.*
    Copy                $kubernetes['labels']['app']    application
    Copy                $kubernetes['labels']['app.kubernetes.io/name'] application
    Copy                $kubernetes['container_name']   application
    Remove              $kubernetes['pod_id']
    Remove              $kubernetes['docker_id']
    Remove              $kubernetes['container_hash']

Environment name and version (e.g. Kubernetes? What version?): Kubernetes, Latest
Operating System and version: AWS Linux
Filters and plugins: kubernetes, expect, grep, stdout, modify, cloudwatch_logs

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 33
Comments: 15 (2 by maintainers)

Most upvoted comments

This would be a great help if one wants to work with nested keys. We are facing the same issue trying to modify the k8s metainformation.

andrewnazarov on Apr 25, 2022

I’m having the same issue trying to copy the Kubernetes namespace into a variable.

chrw on Jul 25, 2022