Store fields into local variable to be used across different stages

Hi there,

I want to assign selected fields of an event into a local variable and use it for dynamically configuring output plugin. For example, I want the Kubernetes namespace_name and pod_name to be stored in a local variables and use them to configure CloudWatch log_group.

I couldn’t find any documentation related to local variables and scopes within FluentD.

Appreciate if you could assist.

The Cloudwatch output plugin has fields that allow you to do this easily. Given you are using the kubernetes_metadata plug in too (to get the pod name and fields etc)

E.g.

  # Retrieves Kubernetes metadata for each log and appends it to the log event. 
  <filter kubernetes.**>
    type kubernetes_metadata
  </filter>

  # Optional, you can map each kubernetes value directly to your own variables here. Or you can use them directly in your match directive. Note that this assumes that the `app` label exists on your kubernetes services. Feel free to map this to another label that might be more useful. 
  <filter kubernetes.**>
     @type record_transformer
     enable_ruby true
     <record>
     service ${record["kubernetes"]["labels"]["app"]}
     pod ${record["kubernetes"]["pod_name"]}
   </record>
  </filter>

  # The cloudwatch plug in gives keys that allow you to assign the log group and stream name.
  <match kubernetes.**>
    @type cloudwatch_logs
    log_group_name_key service
    log_stream_name_key pod
    remove_log_group_name_key true <- these removes the keys used from the data, so you aren't duplicating data.
    remove_log_stream_name_key true  <- these removes the keys used from the data, so you aren't duplicating data.
    auto_create_stream true  <- nice for dynamically creating log streams from new services when fluentd notices new services don't have a log stream yet.
  </match>

Use log_group_name and log_stream_name to build the string you want each event to use. As each event has it’s own metadata, the value will change depending on the log being emitted. You don’t have to use the record transformer here as you can directly reference the values if you want, but note that you probably don’t want to delete the kube metadata here so i’ve omitted the remove key fields.

  <match kubernetes.**>
    @type cloudwatch_logs
    log_group_name_key ${record["kubernetes"]["labels"]["app"]}
    log_stream_name_key ${record["kubernetes"]["pod-name"]}
    auto_create_stream true
  </match>