signalfx · dmitryax · Nov 17, 2021 · Nov 12, 2021 · Nov 17, 2021 · Nov 17, 2021
@@ -45,6 +45,17 @@ zipkin:
 {{- end }}
 {{- end }}
 
+{{/*
+Filter Attributes Function
+*/}}
+{{- define "splunk-otel-collector.filterAttr" -}}
+{{- if .Values.logsCollection.containers.useSplunkIncludeAnnotation -}}
+splunk.com/include
+{{- else -}}
+splunk.com/exclude
+{{- end }}
+{{- end }}
+
 {{/*
 Common config for resourcedetection processor
 */}}
@@ -94,7 +105,7 @@ resource/logs:
       action: upsert
     - key: k8s.pod.annotations.splunk.com/sourcetype
       action: delete
-    - key: splunk.com/exclude
+    - key: {{ include "splunk-otel-collector.filterAttr" . }}
       action: delete
     {{- if .Values.autodetect.istio }}
     - key: service.name
@@ -158,9 +169,9 @@ Filter logs processor
 # Drop logs coming from pods and namespaces with splunk.com/exclude annotation.
 filter/logs:
   logs:
-    exclude:
+    {{ .Values.logsCollection.containers.useSplunkIncludeAnnotation | ternary "include" "exclude" }}:
       resource_attributes:
-        - key: splunk.com/exclude
+        - key: {{ include "splunk-otel-collector.filterAttr" . }}
           value: "true"
 {{- end }}
 

@@ -270,11 +270,11 @@ processors:
       annotations:
         - key: splunk.com/sourcetype
           from: pod
-        - key: splunk.com/exclude
-          tag_name: splunk.com/exclude
+        - key: {{ include "splunk-otel-collector.filterAttr" . }}
+          tag_name: {{ include "splunk-otel-collector.filterAttr" . }}
           from: namespace
-        - key: splunk.com/exclude
-          tag_name: splunk.com/exclude
+        - key: {{ include "splunk-otel-collector.filterAttr" . }}
+          tag_name: {{ include "splunk-otel-collector.filterAttr" . }}
           from: pod
         - key: splunk.com/index
           tag_name: com.splunk.index

@@ -53,11 +53,11 @@ processors:
       annotations:
         - key: splunk.com/sourcetype
           from: pod
-        - key: splunk.com/exclude
-          tag_name: splunk.com/exclude
+        - key: {{ include "splunk-otel-collector.filterAttr" . }}
+          tag_name: {{ include "splunk-otel-collector.filterAttr" . }}
           from: namespace
-        - key: splunk.com/exclude
-          tag_name: splunk.com/exclude
+        - key: {{ include "splunk-otel-collector.filterAttr" . }}
+          tag_name: {{ include "splunk-otel-collector.filterAttr" . }}
           from: pod
         - key: splunk.com/index
           tag_name: com.splunk.index

@@ -492,6 +492,9 @@
                 "type": "string"
               }
             },
+            "useSplunkIncludeAnnotation": {
+              "type": "boolean"
+            },
             "multilineConfigs": {
               "type": "array",
               "items": {

@@ -348,7 +348,6 @@ logsCollection:
     # By the time of reconstructing a multiline log the following information is available to
     # identify source of the logs: namespace, pod and container names. At least one source
     # identifier has to be specified in for each multiline config.
-    multilineConfigs: []
     # The following example shows how to setup multiline log processing for logs having subsequent
     # log lines written with an offset. Let's say a k8s deployment called "buttercup-app" is
     # scheduled to run in "default" namespace with a java container called "server", and the
@@ -371,6 +370,10 @@ logsCollection:
     #     containerName:
     #       value: server
     #     firstEntryRegex: ^[^\s].*
+    multilineConfigs: []
+    # Set useSplunkIncludeAnnotation flag to `true` to collect logs from pods with `splunk.com/include: true` annotation and ignore others.
+    # All other logs will be ignored.
+    useSplunkIncludeAnnotation: false
 
   checkpointPath: "/var/addon/splunk/otel_pos"