diff --git a/internal/generator/vector/conf/complex.toml b/internal/generator/vector/conf/complex.toml index 976754defe..7e9528ec96 100644 --- a/internal/generator/vector/conf/complex.toml +++ b/internal/generator/vector/conf/complex.toml @@ -146,6 +146,7 @@ source = ''' if .log_type == "audit" && .log_source == "auditd" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) match1 = parse_regex(.message, r'type=(?P[^ ]+)') ?? {} @@ -172,6 +173,7 @@ if .log_type == "audit" && .log_source == "auditd" { if .log_type == "audit" && .log_source == "kubeAPI" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) . = merge(., parse_json!(string!(.message))) ?? . @@ -183,6 +185,7 @@ if .log_type == "audit" && .log_source == "kubeAPI" { if .log_type == "audit" && .log_source == "openshiftAPI" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) . = merge(., parse_json!(string!(.message))) ?? . @@ -194,6 +197,7 @@ if .log_type == "audit" && .log_source == "openshiftAPI" { if .log_type == "audit" && .log_source == "ovn" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) if !exists(.level) { @@ -222,6 +226,7 @@ if .log_type == "audit" && .log_source == "ovn" { if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { @@ -295,6 +300,7 @@ if .log_source == "container" { if .log_source == "node" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file .tag = ".journal.system" del(.source_type) diff --git a/internal/generator/vector/conf/complex_http_receiver.toml b/internal/generator/vector/conf/complex_http_receiver.toml index 8f0b013e1e..0bbb55aaa5 100644 --- a/internal/generator/vector/conf/complex_http_receiver.toml +++ b/internal/generator/vector/conf/complex_http_receiver.toml @@ -180,6 +180,7 @@ source = ''' if .log_type == "audit" && .log_source == "auditd" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) match1 = parse_regex(.message, r'type=(?P[^ ]+)') ?? {} @@ -206,6 +207,7 @@ if .log_type == "audit" && .log_source == "auditd" { if .log_type == "audit" && .log_source == "kubeAPI" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) . = merge(., parse_json!(string!(.message))) ?? . @@ -217,6 +219,7 @@ if .log_type == "audit" && .log_source == "kubeAPI" { if .log_type == "audit" && .log_source == "openshiftAPI" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) . = merge(., parse_json!(string!(.message))) ?? . @@ -228,6 +231,7 @@ if .log_type == "audit" && .log_source == "openshiftAPI" { if .log_type == "audit" && .log_source == "ovn" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) if !exists(.level) { @@ -256,6 +260,7 @@ if .log_type == "audit" && .log_source == "ovn" { if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { @@ -329,6 +334,7 @@ if .log_source == "container" { if .log_source == "node" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file .tag = ".journal.system" del(.source_type) diff --git a/internal/generator/vector/conf/container.toml b/internal/generator/vector/conf/container.toml index 0f2e4b2781..b9fb337217 100644 --- a/internal/generator/vector/conf/container.toml +++ b/internal/generator/vector/conf/container.toml @@ -67,6 +67,7 @@ source = ''' if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { diff --git a/internal/generator/vector/filter/openshift/viaq/common.go b/internal/generator/vector/filter/openshift/viaq/common.go index f9b060f09e..971298e592 100644 --- a/internal/generator/vector/filter/openshift/viaq/common.go +++ b/internal/generator/vector/filter/openshift/viaq/common.go @@ -3,5 +3,8 @@ package viaq const ( ClusterID = `.openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}"` FixTimestampField = `ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts}` - InternalContext = `._internal.message = .message` + InternalContext = ` +._internal.message = .message +._internal.file = .file +` ) diff --git a/internal/generator/vector/output/cloudwatch/cloudwatch.go b/internal/generator/vector/output/cloudwatch/cloudwatch.go index 2bc99b367d..4f9ff08b81 100644 --- a/internal/generator/vector/output/cloudwatch/cloudwatch.go +++ b/internal/generator/vector/output/cloudwatch/cloudwatch.go @@ -138,9 +138,8 @@ func NormalizeStreamName(componentID string, inputs []string) Element { vrl := strings.TrimSpace(` .stream_name = "default" -if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) +if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_groupname_with_aws_credentials.toml b/internal/generator/vector/output/cloudwatch/cw_groupname_with_aws_credentials.toml index 50b375b89c..df33e52162 100644 --- a/internal/generator/vector/output/cloudwatch/cw_groupname_with_aws_credentials.toml +++ b/internal/generator/vector/output/cloudwatch/cw_groupname_with_aws_credentials.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_with_groupname.toml b/internal/generator/vector/output/cloudwatch/cw_with_groupname.toml index 32483c54b8..477db5a4c6 100644 --- a/internal/generator/vector/output/cloudwatch/cw_with_groupname.toml +++ b/internal/generator/vector/output/cloudwatch/cw_with_groupname.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_with_tls_and_default_mintls_ciphers.toml b/internal/generator/vector/output/cloudwatch/cw_with_tls_and_default_mintls_ciphers.toml index 347803792f..1ea775a3fc 100644 --- a/internal/generator/vector/output/cloudwatch/cw_with_tls_and_default_mintls_ciphers.toml +++ b/internal/generator/vector/output/cloudwatch/cw_with_tls_and_default_mintls_ciphers.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_with_tls_spec.toml b/internal/generator/vector/output/cloudwatch/cw_with_tls_spec.toml index a45f7b09ba..449f590279 100644 --- a/internal/generator/vector/output/cloudwatch/cw_with_tls_spec.toml +++ b/internal/generator/vector/output/cloudwatch/cw_with_tls_spec.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_with_tls_spec_insecure_verify.toml b/internal/generator/vector/output/cloudwatch/cw_with_tls_spec_insecure_verify.toml index 42d50ab34f..8326fbb5f9 100644 --- a/internal/generator/vector/output/cloudwatch/cw_with_tls_spec_insecure_verify.toml +++ b/internal/generator/vector/output/cloudwatch/cw_with_tls_spec_insecure_verify.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/output/cloudwatch/cw_with_url.toml b/internal/generator/vector/output/cloudwatch/cw_with_url.toml index 36ce060998..210669fcf3 100644 --- a/internal/generator/vector/output/cloudwatch/cw_with_url.toml +++ b/internal/generator/vector/output/cloudwatch/cw_with_url.toml @@ -5,9 +5,8 @@ inputs = ["cw-forward"] source = ''' .stream_name = "default" - if (.file != null) { - .file = "kubernetes" + replace!(.file, "/", ".") - .stream_name = del(.file) + if ( ._internal.file != null) { + .stream_name = "kubernetes" + replace!(._internal.file, "/", ".") } if ( .log_type == "audit" ) { diff --git a/internal/generator/vector/pipeline/adapter_test_drop_filter.toml b/internal/generator/vector/pipeline/adapter_test_drop_filter.toml index 679afe45a1..f89bb63a3f 100644 --- a/internal/generator/vector/pipeline/adapter_test_drop_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_drop_filter.toml @@ -13,6 +13,7 @@ source = ''' if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { @@ -86,6 +87,7 @@ if .log_source == "container" { if .log_source == "node" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file .tag = ".journal.system" del(.source_type) diff --git a/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml b/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml index 74d35a4a7a..036ce02d6b 100644 --- a/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml @@ -5,6 +5,7 @@ source = ''' if .log_type == "audit" && .log_source == "kubeAPI" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file del(.file) del(.source_type) . = merge(., parse_json!(string!(.message))) ?? . diff --git a/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml index 428a91645c..8f58ff9533 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml @@ -5,6 +5,7 @@ source = ''' if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { diff --git a/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml index 59d0cbe758..ca455e08bc 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml @@ -5,6 +5,7 @@ source = ''' if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') { diff --git a/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml index 4e01debd62..d1b63096d8 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml @@ -5,6 +5,7 @@ source = ''' if .log_source == "container" { .openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}" ._internal.message = .message + ._internal.file = .file if !exists(.level) { .level = "default" if match!(.message, r'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"|') {