Send "Namespace" as TAG along with the log line

[vkumar85]

I have a requirement where I need to create views per Kubernetes namespace in IBM Log Analysis tool. But I am not able to find a way to send the Namespace field as TAG using logDNA agent.

As most of apps a deployed in their dedicated namespace for isolation it would help to allow tags be configurable per Kubernetes metadata to better organize the views.

I want to avoid using filters based out of line identifiers, to create views as those always appear in the search bar and makes it difficult to write search queries as you have to append to an per-existing filter.

I have tried a lot of different ways to extract this field from the log line but can't get it so far.

Is there a way I can extract this field in an Environment variable and then use that environment variable to be sent as a TAG along with the log line?

Tried something like this and lot many more combinations, but nothing is working

- name: LOGDNA_LOG_NAMESPACE
  value:"{.meta.namespace}"

- name: LOGDNA_TAGS
  value: $(LOGDNA_LOG_NAMESPACE)

[dkhokhlov]

do you mean - be able to search in Web UI by value from this NAMESPACE env var? https://github.com/logdna/logdna-agent-v2/blob/master/k8s/agent-resources.yaml#L155

[vkumar85]

@dkhokhlov Thanks for responding. No. I want to send the namespace of the log line generating POD, to mezmo as a TAG, so I can select a tag to create a view instead of using a query "namespace:<>" as a view creation method.

[dkhokhlov]

how about to define new env var in yaml:

         - name: LOGDNA_TAGS
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace

similar to the link i mentioned.

[vkumar85]

I tried both directly as you mentioned above and by passing it as a variable to LOGDN_TAGS, agent fails to start in both cases.

- name: "LOGDNA_NAMESPACE_TAG"
  valueFrom:
    fieldRef:
      fieldPath: metadata.namespace
- name: "LOGDNA_TAGS"
  value: $(LOGDNA_NAMESPACE_TAG)

[2023-01-26T18:44:21Z ERROR logdna_agent::_main] bad request, check configuration: 403 Forbidden 3 [2023-01-26T18:44:21Z INFO logdna_agent::_main] Received shutdown request 2 [2023-01-26T18:44:21Z INFO notify_stream] Shutting down watcher 1 [2023-01-26T18:44:21Z INFO notify_stream] Shutting down watcher

[dkhokhlov]

403 Forbidden - is about Ingestion Key.

LOGDNA_TAGS - is static field. Cannot be modified on the fly with each line. Agent does have k8s enrichment of log lines. Do you have it enabled?

[vkumar85]

Per the documentation, k8s enrichment flag is set to ALWAYS by default and I see all below metadata coming in with the log line

My need is to use TAG as filtering method to create views. Today , I use query, namespace:<>, which compares the namespace from this line identifieres metadata and creates a view for me. But having this query listed in the view search bar always is a in-convenience, in case I need to write further filtering or searching in the search bar. If I user TAG, this query wont appear in the search bar.

Just to Add: When I added the TAG as you mentioned above, it recorded the namespace name of the namespace where logDNA agent is installed and it sent that with every log line. As can be see in tags screenshot.