I’m going to try create a new index_template with the app field set as an object, then restart fluent-bit.
I have the luxury of being able to throw away existing logs, however it looks like it might be possible to just alias to new template and update fluent-bit (or your log forwarder) config?
Creating the index_template with app having type: object resulted in app.kubernetes.io logs being ingested but not the logs of pods with app: xyz type labels.
I’m going to update the manifests for the apps that I can in the mean time.
Don from fluent-bit issue made the good suggestion that we could use the Replace_Dots On config in Fluent-bit to replace dots with underscores.
Filebeat from memory has this option as well.
Might be a workaround in the interim.