I would like to get the message of my log entry into AWS with correct json tokenization from CRI application logs when running in AWS EKS (version 1.22)
My application outputs valid json, but the log line is prepended with YYYY-MM-DDTHH:MM:SS.MILLIZ stdout F. This means that a standard JSON parser does not work.
Using a regex parser from http://rubular.com/r/tjUt3Awgg4, the time, stream and logtag from my above example are all correctly identified, but I then cannot tokenize the message JSON. My log content is then in the message key.
[PARSER]
# http://rubular.com/r/tjUt3Awgg4
Name cri
Format regex
Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z
Is there a way to stack parsers, or a way to remove the first part of the log line before sending it to the parser? I attempted a remove_regex in a filter, but couldn't make that work.
