image:
  tag: latest-debug

config:
  service: |
    [SERVICE]
        parsers_file /fluent-bit/etc/parsers.conf
        parsers_File /fluent-bit/etc/conf/custom_parsers.conf
        http_server on
        health_check on

  inputs: |
    [INPUT]
        name tail
        path /var/log/containers/falco*.log
        exclude_path *driver-loader*.log,*artifact*.log
        parser cri
        tag falco
        mem_buf_limit 5MB
        skip_empty_lines on

  filters: |
    # before even parsing message field - that was k8s field
    [FILTER]
        name modify
        match falco
        remove time

    [FILTER]
        name parser
        match falco
        key_name message
        parser json_no_time
        reserve_data true

    # duplicates parsed json fields
    [FILTER]
        name modify
        match falco
        remove output

    [FILTER]
        name nest
        match falco
        operation lift
        nested_under output_fields

    # yet again and also from parsed output field
    [FILTER]
        name modify
        match falco
        remove time
        remove evt.time

    [FILTER]
        name modify
        match falco
        add sensor APP_TYPE@CONTEXT

  outputs: |
    [OUTPUT]
        name stdout
        match falco

  customParsers: |
    [PARSER]
        name json_no_time
        format json