Drop log based on annotation or if a key is missing

My target is to drop the log if I found any match string in the log. So I use the filter and grep everything exclude those words. Everything is good but I got some new logs and don’t know where those are coming from. Even the log has no message attribute !

{
  "annotations.kubectl.kubernetes.io/restartedAt": "2021-10-22T15:16:02Z",
  "annotations.kubernetes.io/psp": "eks.privileged",
  "annotations.prometheus.io/path": "/stats/prometheus",
  "annotations.prometheus.io/port": "15020",
  "annotations.prometheus.io/scrape": "true",
  "annotations.sidecar.istio.io/inject": "true",
  "annotations.sidecar.istio.io/status.containers": "[\"istio-proxy\"]",
  "annotations.sidecar.istio.io/status.imagePullSecrets": "null",
  "annotations.sidecar.istio.io/status.initContainers": "[\"istio-init\"]",
  "annotations.sidecar.istio.io/status.version": "e2cb9d4837cda9584fd272bfa1f348525bcaacfadb7e9b9efbd21a3bb44ad7a1",
  "annotations.sidecar.istio.io/status.volumes": "[\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"]",
  "annotations.traffic.sidecar.istio.io/excludeOutboundPorts": "5432,5672,6379",
  "authority": "null",
  "bytes_received": 77189,
  "bytes_sent": 4984,
  "cluster_name": "eks",
  "container_hash": "istio/proxyv2@sha256:0a407ecee363d8d31957162b82738ae3dd09690668a0168d660044ac8fc728f0",
  "container_image": "istio/proxyv2:1.8.1",
  "container_name": "istio-proxy",
  "docker_id": "0c8536382e1785ec820af20f73e3de9affc929d5b891cafe45edafc8c8818bc9",
  "downstream_local_address": "185.221.87.247:443",
  "downstream_remote_address": "10.0.129.188:50870",
  "duration": 144,
  "host": "ip-10-0-178-231.eu-west-2.compute.internal",
  "labels.app.kubernetes.io/instance": "core-api",
  "labels.app.kubernetes.io/name": "core-api",
  "labels.istio.io/rev": "default",
  "labels.pod-template-hash": "7575f795cc",
  "labels.security.istio.io/tlsMode": "istio",
  "labels.service.istio.io/canonical-name": "core-api",
  "labels.service.istio.io/canonical-revision": "latest",
  "method": "null",
  "namespace_name": "prod",
  "newrelic.source": "api.logs",
  "path": "null",
  "plugin.source": "kubernetes",
  "plugin.type": "fluent-bit",
  "plugin.version": "1.10.0",
  "pod_id": "f28862d6-391b-410d-8362-f7b90174c05c",
  "pod_name": "core-api-7575f795cc-mgszx",
  "protocol": "null",
  "request_id": "null",
  "requested_server_name": "null",
  "response_code": 0,
  "response_flags": "-",
  "route_name": "null",
  "start_time": "2021-11-07T18:30:48.766Z",
  "stream": "stdout",
  "time": "2021-11-07T18:30:56.144647725Z",
  "timestamp": 1636309856144,
  "upstream_cluster": "PassthroughCluster",
  "upstream_host": "185.221.87.247:443",
  "upstream_local_address": "10.0.129.188:50872",
  "upstream_service_time": "null",
  "upstream_transport_failure_reason": "null",
  "user_agent": "null",
  "x_forwarded_for": "null"
}

My fluent bit configuration.

[SERVICE]
    Flush         1
    Log_Level     ${LOG_LEVEL}
    Daemon        off
    Parsers_File  parsers.conf
    HTTP_Server   On
    HTTP_Listen   0.0.0.0
    HTTP_Port     2020

[INPUT]
    Name              tail
    Tag               kube.*
    # Path              ${PATH}
    Path              /var/log/containers/*_prod_*.log
    Exclude_Path      /var/log/containers/*_istio-proxy*,/var/log/containers/*_istio-init*
    Parser            ${LOG_PARSER}
    DB                ${FB_DB}
    Tag               kube.*
    Mem_Buf_Limit     7MB
    Skip_Long_Lines   On
    Refresh_Interval  10

[FILTER]
    Name           kubernetes
    Match          kube.*
    # We need the full DNS suffix as Windows only supports resolving names with this suffix
    # See: https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#dns-limitations
    Kube_URL       https://kubernetes.default.svc.cluster.local:443
    K8S-Logging.Exclude ${K8S_LOGGING_EXCLUDE}

[FILTER]
    Name           record_modifier
    Match          *
    Record         cluster_name ${CLUSTER_NAME}

[FILTER]
    Name          grep
    Match         *
    Exclude       log /.*healthcheck.*/
    Exclude       message /.*healthcheck.*/
    Exclude       message /.*istio.*/

[FILTER]
    Name                expect
    Match               *
    key_not_exists      log
    action              exit

[OUTPUT]
    Name           newrelic
    Match          kube.*
    licenseKey     ${LICENSE_KEY}
    endpoint       ${ENDPOINT}
    lowDataMode    ${LOW_DATA_MODE}

# Relevant parsers retrieved from: https://github.com/fluent/fluent-bit/blob/master/conf/parsers.conf
[PARSER]
    Name         docker
    Format       json
    Time_Key     time
    Time_Format  %Y-%m-%dT%H:%M:%S.%L
    Time_Keep    On

[PARSER]
    Name cri
    Format regex
    Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
    Time_Key    time
    Time_Format %Y-%m-%dT%H:%M:%S.%L%z

Is there any way if I found any log attribute like “container_name”: “istio-proxy” then drop the whole json log.

This may be best solved using a lua filter vs. multiple grep include / exclude and expect filters.