Situation 地理位置After migrating the cluster from RKE1 to RKE2, JSON logs sent to Elasticsearch are not being split into fields correctly.在将集群从 RKE1 迁移到 RKE2 后发送到 Elasticsearch 的 JSON 日志没有被正确划分为字段。Resolution 结局To resolve the issue, configure a custom parser and an inputTail in the Rancher Logging chart by adding the following configuration directly under values.yaml:为解决此问题可以在 Rancher Logging 图表中配置自定义解析器和 inputTail直接在 values.yaml 下方添加以下配置fluentbitAgentOverlay: spec: customParsers: | [PARSER] Name cri-log-compatibility Format regex Regex ^(?time[^ ]) (?streamstdout|stderr) (?logtag[^ ]*) (?log.*)$ Time_Key time Time_Format %Y-%m-%dT%H:%M:%S.%L%z inputTail: Parser: cri-log-compatibilityCause 病因The difference between how containerd and Docker write logs causes JSON logs to not be split into fields correctly after migrating from RKE1 to RKE2.容器和 Docker 写日志的方式不同导致从 RKE1 迁移到 RKE2 后JSON 日志无法正确分割成字段。访问Rancher-K8S解决方案博主企业合作伙伴 https://blog.csdn.net/lidw2009