Re: kubernetes logs in DQL by cluster name

roberto_camp1 · ‎06 Nov 2024

I have a dashboard for AWS EKS clusters where all the tiles are dependent on a $Cluster variable that contains the cluster name in the format derived from DQL:

fetch dt.entity.kubernetes_cluster
| fields entity.name
| filter contains(entity.name, "engineering")
| sort entity.name asc

This gives me cluster names such as "engineering-east1" , "engineering-east2" etc.

I want to pin a tile to the top of the dashboard that executes this log query (got this from the kubernetes app):

fetch logs
| filter dt.entity.kubernetes_cluster == "KUBERNETES_CLUSTER-986F4E539E5EE209" or in(dt.entity.kubernetes_cluster, "KUBERNETES_CLUSTER-986F4E539E5EE209")
| filter status == "ERROR" OR status == "WARN"
| sort timestamp desc

The issue is that I would like to fetch the logs using that same $Cluster name that I've established in the dashboard variable, which is the entity.name from the dt.entity.kubernetes_cluster, instead of the KUBERNETES_CLUSTER string. I have not been able to perform any sort of lookup (ie swap in entity.name for the KUBERNETES_CLUSTER string) in the fetch logs that would allow me to fetch the logs like that. Does anyone know how I would do this?

DavidRitter · ‎07 Nov 2024

Could you replace dt.entity.kubernetes_cluster with k8s.cluster.name?

Does the following query work for you?

fetch logs
| filter k8s.cluser.name == $Cluster or in(k8s.cluster.name, $Cluster)
| filter status == "ERROR" OR status == "WARN"
| sort timestamp desc