Configuring Fluentd to merge JSON log message body
If there are application pods outputting logs in JSON format, then it is recommended to set Fluentd to parse the JSON fields from the message body and merge the parsed objects with the JSON payload document posted to Elasticsearch.
This feature is disabled by default. To enable this feature, first set the cluster logging instance's managementState field from "Managed" to "Unmanaged". Setting the cluster logging instance to unmanaged state gives the administrator full control of the components managed by the Cluster Logging Operator and is the prerequisite for many cluster logging configurations.
[root@tncoiaf-inf ~]# oc project openshift-logging
[root@tncoiaf-inf ~]# oc edit ClusterLogging
apiVersion: "logging.openshift.io/v1"
kind: "ClusterLogging"
metadata:
name: "instance"
....
spec:
managementState: "Unmanaged"