How to access json elements in fluentd config match directive

Question

I have setup fluentd in my kubernetes cluster (AKS) to send the logs to azure blob using the microsoft plugin azure-storage-append-blob. Currently the path how my logs are stored is as follows containername/logs/file.log. but I want it to be in this way containername/logs/podname/file.log. I've used fluent-plugin-kubernetes_metadata_filter plugin to filter out the kubernetes metadata. Below is my current configuration that I tried. but this did not work out well for me. Also I'm posting a sample JSON output from the logs. I know this is possible but just need a little bit help or guidance here to finish this off.

Current configuration:

 <match fluent.**>
       @type null
    </match>
    <source>
      @type tail
      path /var/log/containers/*.log
      pos_file /var/log/td-agent/tmp/access.log.pos
      tag container.*
      #format json
      format json
      time_key time
      time_format %Y-%m-%dT%H:%M:%S.%NZ
      read_from_head true
    </source>
    <match container.var.log.containers.**fluentd**.log>
        @type null
    </match>
    <filter container.**>
      @type kubernetes_metadata
    </filter>
    <match **>
       @type azure-storage-append-blob
          azure_storage_account    mysaname
          azure_storage_access_key mysaaccesskey
          azure_container          fluentdtest
          auto_create_container    true
          path logs/
          append false
          azure_object_key_format  %{path}%{tag}%{time_slice}_%{index}.log
          time_slice_format        %Y%m%d-%H-%M
          # if you want to use %{tag} or %Y/%m/%d/ like syntax in path / azure_blob_name_format,
          # need to specify tag for %{tag} and time for %Y/%m/%d in <buffer> argument.
          <buffer tag,time,timekey>
            @type file
            path /var/log/fluent/azurestorageappendblob
            timekey 300s
            timekey_wait 10s
            timekey_use_utc true # use utc
            chunk_limit_size 5MB
            queued_chunks_limit_size 1
           </buffer>
    </match>

Sample Json from the logs

container.var.log.containers.nginx - connector - deployment - 5 bbfdf4f86 - p86dq_mynamespace_nginx - ee437ca90cb3924e1def9bdaa7f682577fc16fb023c00975963a105b26591bfb.log: 
{
    "log": "2020-07-16 17:12:56,761 INFO spawned: 'consumer' with pid 87068\n",
    "stream": "stdout",
    "docker": {
        "container_id": "ee437ca90cb3924e1def9bdaa7f682577fc16fb023c00975963a105b26591bfb"
    },
    "kubernetes": {
        "container_name": "nginx",
        "namespace_name": "mynamespace",
        "pod_name": "nginx-connector-deployment-5bbfdf4f86-p86dq",
        "container_image": "docker.io/nginx",
        "container_image_id": "docker-pullable://docker.io/nginx:f908584cf96053e50862e27ac40534bbd57ca3241d4175c9576dd89741b4926",
        "pod_id": "93a630f9-0442-44ed-a8d2-9a7173880a3b",
        "host": "aks-nodepoolkube-15824989-vmss00000j",
        "labels": {
            "app": "nginx",
            "pod-template-hash": "5bbfdf4f86"
        },
        "master_url": "https://docker.io:443/api",
        "namespace_id": "87092784-26b4-4dd5-a9d2-4833b72a1366"
    }
}

Below is the official github link for the append-blob plugin https://github.com/microsoft/fluent-plugin-azure-storage-append-blob

Answer 1

Please refer below link for configuration for fluentd for reading JSON/NON-JSON multiline logs. Try with this configuration it will work.

How to get ${kubernetes.namespace_name} for index_name in fluentd?