Fix native logs collection after logs-library changes in 0.29.0

CHANGELOG.md

@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 
 - Make sure that logs or profiling data is sent only when it's enabled (#444)
+- Fix native OTel logs collection broken after the 0.29.0 opentelemetry-logs-library changes in 0.49.0 release (#448)
 
 ## [0.49.0] - 2022-04-28
 

helm-charts/splunk-otel-collector/templates/config/_otel-agent.tpl

@@ -278,14 +278,9 @@ receivers:
           layout: '2006-01-02T15:04:05.000000000-07:00'
       - type: recombine
         id: crio-recombine
-        combine_field: body.log
-        is_last_entry: "(body.logtag) == 'F'"
-      - type: add
-        id: crio-handle_empty_log
-        output: filename
-        if: body.log == nil
-        field: body.log
-        value: ""
+        output: handle_empty_log
+        combine_field: attributes.log
+        is_last_entry: "attributes.logtag == 'F'"
       {{- end }}
       {{- if or (not .Values.logsCollection.containers.containerRuntime) (eq .Values.logsCollection.containers.containerRuntime "containerd") }}
       # Parse CRI-Containerd format
@@ -297,60 +292,57 @@ receivers:
           layout: '%Y-%m-%dT%H:%M:%S.%LZ'
       - type: recombine
         id: containerd-recombine
-        combine_field: body.log
-        is_last_entry: "(body.logtag) == 'F'"
-      - type: add
-        id: containerd-handle_empty_log
-        output: filename
-        if: body.log == nil
-        field: body.log
-        value: ""
+        output: handle_empty_log
+        combine_field: attributes.log
+        is_last_entry: "attributes.logtag == 'F'"
       {{- end }}
       {{- if or (not .Values.logsCollection.containers.containerRuntime) (eq .Values.logsCollection.containers.containerRuntime "docker") }}
       # Parse Docker format
       - type: json_parser
         id: parser-docker
-        parse_to: body
+        output: handle_empty_log
         timestamp:
-          parse_from: body.time
+          parse_from: attributes.time
           layout: '%Y-%m-%dT%H:%M:%S.%LZ'
       {{- end }}
       - type: add
-        id: filename
-        field: resource["com.splunk.source"]
-        value: EXPR(attributes["log.file.path"])
+        id: handle_empty_log
+        if: attributes.log == nil
+        field: attributes.log
+        value: ""
       # Extract metadata from file path
       - type: regex_parser
-        id: extract_metadata_from_filepath
         {{- if .Values.isWindows }}
         regex: '^C:\\var\\log\\pods\\(?P<namespace>[^_]+)_(?P<pod_name>[^_]+)_(?P<uid>[^\/]+)\\(?P<container_name>[^\._]+)\\(?P<restart_count>\d+)\.log$'
         {{- else }}
         regex: '^\/var\/log\/pods\/(?P<namespace>[^_]+)_(?P<pod_name>[^_]+)_(?P<uid>[^\/]+)\/(?P<container_name>[^\._]+)\/(?P<restart_count>\d+)\.log$'
         {{- end }}
-        parse_to: body
         parse_from: attributes["log.file.path"]
       # Move out attributes to Attributes
-      - type: add
-        field: resource["k8s.pod.uid"]
-        value: EXPR(body.uid)
-      - type: add
-        field: resource["k8s.container.restart_count"]
-        value: EXPR(body.restart_count)
-      - type: add
-        field: resource["k8s.container.name"]
-        value: EXPR(body.container_name)
-      - type: add
-        field: resource["k8s.namespace.name"]
-        value: EXPR(body.namespace)
-      - type: add
-        field: resource["k8s.pod.name"]
-        value: EXPR(body.pod_name)
+      - type: move
+        from: attributes.uid
+        to: resource["k8s.pod.uid"]
+      - type: move
+        from: attributes.restart_count
+        to: resource["k8s.container.restart_count"]
+      - type: move
+        from: attributes.container_name
+        to: resource["k8s.container.name"]
+      - type: move
+        from: attributes.namespace
+        to: resource["k8s.namespace.name"]
+      - type: move
+        from: attributes.pod_name
+        to: resource["k8s.pod.name"]
       - type: add
         field: resource["com.splunk.sourcetype"]
-        value: EXPR("kube:container:"+body.container_name)
-      - type: add
-        field: attributes["log.iostream"]
-        value: EXPR(body.stream)
+        value: EXPR("kube:container:"+resource["k8s.container.name"])
+      - type: move
+        from: attributes.stream
+        to: attributes["log.iostream"]
+      - type: move
+        from: attributes["log.file.path"]
+        to: resource["com.splunk.source"]
       {{- if .Values.logsCollection.containers.multilineConfigs }}
       - type: router
         routes:
@@ -364,8 +356,8 @@ receivers:
         id: {{ include "splunk-otel-collector.newlineKey" . | quote}}
         output: clean-up-log-record
         source_identifier: resource["com.splunk.source"]
-        combine_field: body.log
-        is_first_entry: '(body.log) matches {{ .firstEntryRegex | quote }}'
+        combine_field: attributes.log
+        is_first_entry: '(attributes.log) matches {{ .firstEntryRegex | quote }}'
       {{- end }}
       {{- end }}
       {{- with .Values.logsCollection.containers.extraOperators }}
@@ -374,7 +366,7 @@ receivers:
       # Clean up log record
       - type: move
         id: clean-up-log-record
-        from: body.log
+        from: attributes.log
         to: body
   {{- end }}
 

rendered/manifests/otel-logs/configmap-agent.yaml

@@ -156,69 +156,61 @@ data:
             layout_type: gotime
             parse_from: attributes.time
           type: regex_parser
-        - combine_field: body.log
+        - combine_field: attributes.log
           id: crio-recombine
-          is_last_entry: (body.logtag) == 'F'
+          is_last_entry: attributes.logtag == 'F'
+          output: handle_empty_log
           type: recombine
-        - field: body.log
-          id: crio-handle_empty_log
-          if: body.log == nil
-          output: filename
-          type: add
-          value: ""
         - id: parser-containerd
           regex: ^(?P<time>[^ ^Z]+Z) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*) (?P<log>.*)$
           timestamp:
             layout: '%Y-%m-%dT%H:%M:%S.%LZ'
             parse_from: attributes.time
           type: regex_parser
-        - combine_field: body.log
+        - combine_field: attributes.log
           id: containerd-recombine
-          is_last_entry: (body.logtag) == 'F'
+          is_last_entry: attributes.logtag == 'F'
+          output: handle_empty_log
           type: recombine
-        - field: body.log
-          id: containerd-handle_empty_log
-          if: body.log == nil
-          output: filename
-          type: add
-          value: ""
         - id: parser-docker
-          parse_to: body
+          output: handle_empty_log
           timestamp:
             layout: '%Y-%m-%dT%H:%M:%S.%LZ'
-            parse_from: body.time
+            parse_from: attributes.time
           type: json_parser
-        - field: resource["com.splunk.source"]
-          id: filename
+        - field: attributes.log
+          id: handle_empty_log
+          if: attributes.log == nil
           type: add
-          value: EXPR(attributes["log.file.path"])
-        - id: extract_metadata_from_filepath
-          parse_from: attributes["log.file.path"]
-          parse_to: body
+          value: ""
+        - parse_from: attributes["log.file.path"]
           regex: ^\/var\/log\/pods\/(?P<namespace>[^_]+)_(?P<pod_name>[^_]+)_(?P<uid>[^\/]+)\/(?P<container_name>[^\._]+)\/(?P<restart_count>\d+)\.log$
           type: regex_parser
-        - field: resource["k8s.pod.uid"]
-          type: add
-          value: EXPR(body.uid)
-        - field: resource["k8s.container.restart_count"]
-          type: add
-          value: EXPR(body.restart_count)
-        - field: resource["k8s.container.name"]
-          type: add
-          value: EXPR(body.container_name)
-        - field: resource["k8s.namespace.name"]
-          type: add
-          value: EXPR(body.namespace)
-        - field: resource["k8s.pod.name"]
-          type: add
-          value: EXPR(body.pod_name)
+        - from: attributes.uid
+          to: resource["k8s.pod.uid"]
+          type: move
+        - from: attributes.restart_count
+          to: resource["k8s.container.restart_count"]
+          type: move
+        - from: attributes.container_name
+          to: resource["k8s.container.name"]
+          type: move
+        - from: attributes.namespace
+          to: resource["k8s.namespace.name"]
+          type: move
+        - from: attributes.pod_name
+          to: resource["k8s.pod.name"]
+          type: move
         - field: resource["com.splunk.sourcetype"]
           type: add
-          value: EXPR("kube:container:"+body.container_name)
-        - field: attributes["log.iostream"]
-          type: add
-          value: EXPR(body.stream)
-        - from: body.log
+          value: EXPR("kube:container:"+resource["k8s.container.name"])
+        - from: attributes.stream
+          to: attributes["log.iostream"]
+          type: move
+        - from: attributes["log.file.path"]
+          to: resource["com.splunk.source"]
+          type: move
+        - from: attributes.log
           id: clean-up-log-record
           to: body
           type: move

rendered/manifests/otel-logs/daemonset.yaml

@@ -29,7 +29,7 @@ spec:
         app: splunk-otel-collector
         release: default
       annotations:
-        checksum/config: 2de91f8f2b9592467c802548de0ecec4d2970e44af26cbd6feca40913ba931c7
+        checksum/config: 66d55b89495c1745c71e96d0a3ea34d83f87309f0ce450c24ad3726a71ce299a
         kubectl.kubernetes.io/default-container: otel-collector
     spec:
       hostNetwork: true