-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
Logging 6.4.0
-
Incidents & Support
-
False
-
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
Description of problem:
The k8s_audit_level value is null when the field ".structured.level" field is pruned.
Version-Release number of selected component (if applicable):
Loki 6.4
Logging 6.4
How reproducible:
Always
Steps to Reproduce:
- Create logging stack with Loki version 6.4
- Create CLF as below:
apiVersion: observability.openshift.io/v1 kind: ClusterLogForwarder metadata: name: collector namespace: openshift-logging spec: filters: - name: remove-pod-owner prune: notIn: - .log_source - .log_type - .message - .timestamp - .structured.auditID - .structured.kubernetes - .structured.annotations - .k8s_audit_level <=============== type: prune managementState: Managed outputs: - lokiStack: authentication: token: from: serviceAccount target: name: logging-loki namespace: openshift-logging name: default-lokistack tls: ca: configMapName: openshift-service-ca.crt key: service-ca.crt type: lokiStack pipelines: - filterRefs: - remove-pod-owner inputRefs: - audit name: default-logstore outputRefs: - default-lokistack serviceAccount: name: collector
Actual results:
k8s_audit_level is null as visible in the image attached.
Expected results:
k8s_audit_level value should be present and not be null
Additional info:
k8s_audit_level field depends on structured.level field so if the structured.level is pruned, it will be assigned later in the pipeline to the k8s_audit_level an empty value.
- name: remove-pod-owner
prune:
notIn:
- .k8s_audit_level
- .structured.level
