The Cloudwatch output plugin has fields that allow you to do this easily. Given you are using the kubernetes_metadata plug in too (to get the pod name and fields etc)
# Retrieves Kubernetes metadata for each log and appends it to the log event.
# Optional, you can map each kubernetes value directly to your own variables here. Or you can use them directly in your match directive. Note that this assumes that the `app` label exists on your kubernetes services. Feel free to map this to another label that might be more useful.
# The cloudwatch plug in gives keys that allow you to assign the log group and stream name.
remove_log_group_name_key true <- these removes the keys used from the data, so you aren't duplicating data.
remove_log_stream_name_key true <- these removes the keys used from the data, so you aren't duplicating data.
auto_create_stream true <- nice for dynamically creating log streams from new services when fluentd notices new services don't have a log stream yet.
log_stream_name to build the string you want each event to use. As each event has it’s own metadata, the value will change depending on the log being emitted. You don’t have to use the record transformer here as you can directly reference the values if you want, but note that you probably don’t want to delete the kube metadata here so i’ve omitted the remove key fields.