|
6 | 6 | [id="logging-content-filter-drop-records_{context}"] |
7 | 7 | = Configuring content filters to drop unwanted log records |
8 | 8 |
|
9 | | -When the `drop` filter is configured, the log collector evaluates log streams according to the filters before forwarding. The collector drops unwanted log records that match the specified configuration. |
| 9 | +Collecting all cluster logs produces a large amount of data, which can be expensive to move and store. To reduce volume, you can configure the `drop` filter to exclude unwanted log records before forwarding. The log collector evaluates log streams against the filter and drops records that match specified conditions. |
| 10 | + |
| 11 | +The `drop` filter uses the `test` field to define one or more conditions for evaluating log records. |
| 12 | +The filter applies the following rules to check whether to drop a record: |
| 13 | + |
| 14 | +* A test passes if all its specified conditions evaluate to true. |
| 15 | +* If a test passes, the filter drops the log record. |
| 16 | +* If you define several tests in the `drop` filter configuration, the filter drops the log record if any of the tests pass. |
| 17 | +* If there is an error evaluating a condition, for example, the referenced field is missing, that condition evaluates to false. |
10 | 18 |
|
11 | 19 | .Prerequisites |
12 | 20 |
|
13 | 21 | * You have installed the {clo}. |
14 | 22 | * You have administrator permissions. |
15 | 23 | * You have created a `ClusterLogForwarder` custom resource (CR). |
| 24 | +* You have installed the {oc-first}. |
16 | 25 |
|
17 | 26 | .Procedure |
18 | 27 |
|
19 | | -. Add a configuration for a filter to the `filters` spec in the `ClusterLogForwarder` CR. |
| 28 | +. Extract the existing `ClusterLogForwarder` configuration and save it as a local file. |
| 29 | ++ |
| 30 | +[source,terminal] |
| 31 | +---- |
| 32 | +$ oc get clusterlogforwarder <name> -n <namespace> -o yaml > <filename>.yaml |
| 33 | +---- |
| 34 | ++ |
| 35 | +Where: |
20 | 36 | + |
21 | | -The following example shows how to configure the `ClusterLogForwarder` CR to drop log records based on regular expressions: |
| 37 | +* `<name>` is the name of the `ClusterLogForwarder` instance you want to configure. |
| 38 | +* `<namespace>` is the namespace where you created the `ClusterLogForwarder` instance, for example `openshift-logging`. |
| 39 | +* `<filename>` is the name of the local file where you save the configuration. |
| 40 | + |
| 41 | +. Add a configuration to drop unwanted log records to the `filters` spec in the `ClusterLogForwarder` CR. |
22 | 42 | + |
| 43 | +-- |
23 | 44 | .Example `ClusterLogForwarder` CR |
24 | 45 | [source,yaml] |
25 | 46 | ---- |
26 | | -apiVersion: logging.openshift.io/v1 |
| 47 | +apiVersion: observability.openshift.io/v1 |
27 | 48 | kind: ClusterLogForwarder |
28 | 49 | metadata: |
29 | | -# ... |
| 50 | + name: instance |
| 51 | + namespace: openshift-logging |
30 | 52 | spec: |
| 53 | + # ... |
31 | 54 | filters: |
32 | | - - name: <filter_name> |
| 55 | + - name: drop-filter |
33 | 56 | type: drop # <1> |
34 | 57 | drop: # <2> |
35 | 58 | - test: # <3> |
36 | | - - field: .kubernetes.labels."foo-bar/baz" # <4> |
| 59 | + - field: .kubernetes.labels."app.version-1.2/beta" # <4> |
37 | 60 | matches: .+ # <5> |
38 | 61 | - field: .kubernetes.pod_name |
39 | 62 | notMatches: "my-pod" # <6> |
40 | 63 | pipelines: |
41 | | - - name: <pipeline_name> # <7> |
42 | | - filterRefs: ["<filter_name>"] |
43 | | -# ... |
| 64 | + - name: my-pipeline # <7> |
| 65 | + filterRefs: |
| 66 | + - drop-filter |
| 67 | + # ... |
44 | 68 | ---- |
45 | | -<1> Specifies the type of filter. The `drop` filter drops log records that match the filter configuration. |
46 | | -<2> Specifies configuration options for applying the `drop` filter. |
47 | | -<3> Specifies the configuration for tests that are used to evaluate whether a log record is dropped. |
48 | | -** If all the conditions specified for a test are true, the test passes and the log record is dropped. |
49 | | -** When multiple tests are specified for the `drop` filter configuration, if any of the tests pass, the record is dropped. |
50 | | -** If there is an error evaluating a condition, for example, the field is missing from the log record being evaluated, that condition evaluates to false. |
51 | | -<4> Specifies a dot-delimited field path, which is a path to a field in the log record. The path can contain alpha-numeric characters and underscores (`a-zA-Z0-9_`), for example, `.kubernetes.namespace_name`. If segments contain characters outside of this range, the segment must be in quotes, for example, `.kubernetes.labels."foo.bar-bar/baz"`. You can include multiple field paths in a single `test` configuration, but they must all evaluate to true for the test to pass and the `drop` filter to be applied. |
52 | | -<5> Specifies a regular expression. If log records match this regular expression, they are dropped. You can set either the `matches` or `notMatches` condition for a single `field` path, but not both. |
53 | | -<6> Specifies a regular expression. If log records do not match this regular expression, they are dropped. You can set either the `matches` or `notMatches` condition for a single `field` path, but not both. |
54 | | -<7> Specifies the pipeline that the `drop` filter is applied to. |
55 | | - |
56 | | -. Apply the `ClusterLogForwarder` CR by running the following command: |
| 69 | +<1> Specify the type of filter. The `drop` filter drops log records that match the filter configuration. |
| 70 | +<2> Specify configuration options for the `drop` filter. |
| 71 | +<3> Specify conditions for tests to evaluate whether the filter drops a log record. |
| 72 | +<4> Specify dot-delimited paths to fields in log records. |
| 73 | +** Each path segment can contain alphanumeric characters and underscores, `a-z`, `A-Z`, `0-9`, `_`, for example, `.kubernetes.namespace_name`. |
| 74 | +** If segments contain different characters, the segment must be in quotes, for example, `.kubernetes.labels."app.version-1.2/beta"`. |
| 75 | +** You can include several field paths in a single `test` configuration, but they must all evaluate to true for the test to pass and the `drop` filter to apply. |
| 76 | +<5> Specify a regular expression. If log records match this regular expression, they are dropped. |
| 77 | +<6> Specify a regular expression. If log records do not match this regular expression, they are dropped. |
| 78 | +<7> Specify the pipeline that uses the `drop` filter. |
| 79 | +-- |
57 | 80 | + |
58 | | -[source,terminal] |
59 | | ----- |
60 | | -$ oc apply -f <filename>.yaml |
61 | | ----- |
62 | | - |
63 | | -.Additional examples |
64 | | - |
65 | | -The following additional example shows how you can configure the `drop` filter to only keep higher priority log records: |
66 | | - |
| 81 | +[NOTE] |
| 82 | +==== |
| 83 | +You can set either the `matches` or `notMatches` condition for a single `field` path, but not both. |
| 84 | +==== |
| 85 | ++ |
| 86 | +.Example configuration that keeps only high-priority log records |
67 | 87 | [source,yaml] |
68 | 88 | ---- |
69 | | -apiVersion: logging.openshift.io/v1 |
70 | | -kind: ClusterLogForwarder |
71 | | -metadata: |
72 | 89 | # ... |
73 | | -spec: |
74 | | - filters: |
75 | | - - name: important |
76 | | - type: drop |
77 | | - drop: |
78 | | - test: |
79 | | - - field: .message |
80 | | - notMatches: "(?i)critical|error" |
81 | | - - field: .level |
82 | | - matches: "info|warning" |
| 90 | +filters: |
| 91 | +- name: important |
| 92 | + type: drop |
| 93 | + drop: |
| 94 | + - test: |
| 95 | + - field: .message |
| 96 | + notMatches: "(?i)critical|error" |
| 97 | + - field: .level |
| 98 | + matches: "info|warning" |
83 | 99 | # ... |
84 | 100 | ---- |
85 | | - |
86 | | -In addition to including multiple field paths in a single `test` configuration, you can also include additional tests that are treated as _OR_ checks. In the following example, records are dropped if either `test` configuration evaluates to true. However, for the second `test` configuration, both field specs must be true for it to be evaluated to true: |
87 | | - |
| 101 | ++ |
| 102 | +.Example configuration with several tests |
88 | 103 | [source,yaml] |
89 | 104 | ---- |
90 | | -apiVersion: logging.openshift.io/v1 |
91 | | -kind: ClusterLogForwarder |
92 | | -metadata: |
93 | 105 | # ... |
94 | | -spec: |
95 | | - filters: |
96 | | - - name: important |
97 | | - type: drop |
98 | | - drop: |
99 | | - test: |
100 | | - - field: .kubernetes.namespace_name |
101 | | - matches: "^open" |
102 | | - test: |
103 | | - - field: .log_type |
104 | | - matches: "application" |
105 | | - - field: .kubernetes.pod_name |
106 | | - notMatches: "my-pod" |
| 106 | +filters: |
| 107 | +- name: important |
| 108 | + type: drop |
| 109 | + drop: |
| 110 | + - test: # <1> |
| 111 | + - field: .kubernetes.namespace_name |
| 112 | + matches: "openshift.*" |
| 113 | + - test: # <2> |
| 114 | + - field: .log_type |
| 115 | + matches: "application" |
| 116 | + - field: .kubernetes.pod_name |
| 117 | + notMatches: "my-pod" |
107 | 118 | # ... |
108 | 119 | ---- |
| 120 | +<1> The filter drops logs that contain a namespace that starts with `openshift`. |
| 121 | +<2> The filter drops application logs that do not have `my-pod` in the pod name. |
| 122 | + |
| 123 | +. Apply the `ClusterLogForwarder` CR by running the following command: |
| 124 | ++ |
| 125 | +[source,terminal] |
| 126 | +---- |
| 127 | +$ oc apply -f <filename>.yaml |
| 128 | +---- |
0 commit comments