{{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: Flow
metadata:
  name: coredns
  namespace: kube-system
spec:
  match:
    - select:
        labels:
          k8s-app: "coredns"
  filters:
    - tag_normaliser: {}
    - parser:
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "multi_format"
          patterns:
            - format: "regexp"
              expression: '^\[(?<log.level>.*)\] \[?(?<source.address>.*)\]?:(?<source.port>.*) - (?<dns.id>.*) "(?<dns.question.type>.*) (?<dns.question.class>.*) (?<dns.question.name>.*)\.? (?<network.transport>.*) (?<coredns.query.size>.*) (?<coredns.dnssec_ok>.*) (?<bufsize>.*)" (?<dns.response_code>.*) (?<dns.header_flags>.*) (?<coredns.response.size>.*) (?<coredns.duration>.*)s'
              types: "source.port:integer,dns.id:integer,coredns.query.size:integer,coredns.dnssec_ok:bool,bufsize:integer,dns.header_flags:array,coredns.response.size:integer,coredns.duration:float"
            - format: "none"
    - record_transformer:
        enable_ruby: true
        records:
          - source.ip: '${ record["source.address"] }'
            dns.header_flags: '${ !(record["dns.header_flags"].nil?) ? record["dns.header_flags"].map(&:upcase) : nil }'
            event.duration: '${ !(record["coredns.duration"].nil?) ? record["coredns.duration"] * 1000000000 : nil }'
            event.kind: "event"
            event.category: "network"
            event.type: "protocol"
            event.outcome: '${ record["dns.response_code"] == "NOERROR" ? "success" : "failure" }'
            event.protocol: "dns"
            event.module: "coredns"
            related.ip: '${ record["source.address"] }'
            # for dashboard
            fileset.name: "kubernetes"
            coredns.query.name: '${ record["dns.question.name"] }'
        remove_keys: "coredns.duration,coredns.dnssec_ok"
  globalOutputRefs:
    - "default"
{{- end }}