Elastic

create an index pattern for fluentd if not already created for you

gitlab-*
Build filter for gitlab namespace
{
  "query": {
    "match_phrase": {
      "kubernetes.namespace_name": "gitlab"
    }
  }
}
There are more than 15 pods in a Gitlab delployment.
[p1dev@p1dev-vm gitlab]$ kubectl get pods -n gitlab
NAME                                           READY   STATUS      RESTARTS   AGE
gitlab-gitaly-0                                1/1     Running     0          4h57m
gitlab-gitlab-exporter-668767985c-gqlf5        1/1     Running     0          4h57m
gitlab-gitlab-shell-697df76cc6-c72s4           1/1     Running     0          4h56m
gitlab-gitlab-shell-697df76cc6-hfv8v           1/1     Running     0          4h57m
gitlab-gitlab-upgrade-check-fc7k9              0/1     Completed   0          4h57m
gitlab-migrations.1-2rphn                      0/1     Completed   0          4h57m
gitlab-minio-86d86968bb-7mlj4                  1/1     Running     0          4h57m
gitlab-minio-create-buckets.1-g5zl8            0/1     Completed   0          4h57m
gitlab-prometheus-server-855c7b6999-sk4r8      2/2     Running     0          4h57m
gitlab-redis-master-0                          2/2     Running     0          4h57m
gitlab-registry-74566cb6f-k5rrx                1/1     Running     0          4h57m
gitlab-registry-74566cb6f-w9vbc                1/1     Running     0          4h57m
gitlab-shared-secrets.1-s6g-selfsign-bmtw5     0/1     Completed   0          143m
gitlab-shared-secrets.1-v1t-mkqqx              0/1     Completed   0          143m
gitlab-sidekiq-all-in-1-v1-86dbff87f9-wp2fr    1/1     Running     0          4h57m
gitlab-task-runner-584579cf87-mh4vb            1/1     Running     0          4h57m
gitlab-webservice-7ff8956d8b-8zcj2             2/2     Running     0          4h56m
gitlab-webservice-7ff8956d8b-9l8sj             2/2     Running     0          143m
global-shared-gitlab-runner-567cf8df54-8dzfw   1/1     Running     0          4h50m
Here is a document that lists the Gitlab components and what each one does https://docs.gitlab.com/ce/development/architecture.html#component-details

Here are some an examples of a filter for a specific containers: front-end webservice

{
  "query": {
    "match_phrase": {
      "kubernetes.container_name": "webservice"
    }
  }
}
gitlab-workhorse - a gateway for routing http requests to the proper component
{
  "query": {
    "match_phrase": {
      "kubernetes.container_name": "gitlab-workhorse"
    }
  }
}
cli git commands
{
  "query": {
    "match_phrase": {
      "kubernetes.container_name": "gitlab-shell"
    }
  }
}
In the KQL field you can text search within a source field such as log
log: "error"
log:
    F 2020-07-10T18:23:01.255Z 8 TID-go4bqp7cw ERROR: Error fetching job: Error connecting to Redis on gitlab-redis-master:6379 (Redis::TimeoutError)
kubernetes.namespace_name:
    gitlab
stream:
    stdout
docker.container_id:
    0ce16032685fdc72f9e2395872b525155f50893684f273ccef8f163a06164705
kubernetes.container_name:
    sidekiq
kubernetes.pod_name:
    gitlab-sidekiq-all-in-1-v1-86dbff87f9-wp2fr
kubernetes.container_image:
    registry.dso.mil/platform-one/apps/gitlab/gitlab-sidekiq-ee:v13.0.3
kubernetes.container_image_id:
    registry.dso.mil/platform-one/apps/gitlab/gitlab-sidekiq-ee@sha256:9e859328c5dfb685b5ccf176b15361091f0e58a935c770eadb80c909b67c4ac3
kubernetes.pod_id:
    53fa245b-c148-40f1-acc0-41fc687a6f2c
kubernetes.host:
    ip-10-39-105-148.us-gov-west-1.compute.internal
kubernetes.labels.app:
    sidekiq
kubernetes.labels.pod-template-hash:
    86dbff87f9
kubernetes.labels.queue-pod-name:
    all-in-1
kubernetes.labels.release:
    gitlab