Help parsing/extracting logs #621
Replies: 1 comment
-
realizing now that my confusion is that the "label_drop" only removes the label, not its corresponding value. I switched to using stage.replace to do this instead |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi, in my current setup I am running the LGTM stack with alloy in front of it. I am running this with podman, and I have podman writing all logs to disk. I was able to read and forward these logs to loki, but I was hoping to improve the parsing/extraction of these logs.
Here is an example log message
"2024-04-21T12:32:10.001202478-04:00 stdout F logger=ngalert.scheduler t=2024-04-21T16:32:10.001126578Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0"
A problem I am having is that timestamp / stdout prefix ( I think this is added by podman ). I was able to remove this in a dashboard, but I was hoping to just drop this with some processing directly in alloy, for easier dashboard config. Basically, I just want to drop the bold portion of all these logs.
Presently I have this config, and I do get some debug logs indicating it is doing something, but the logs I see look exactly the same. Could someone just give this config a once over/advise how I might accomplish this?
local.file_match "podlogs" {
path_targets = [{"path" = "/var/log/pod.log" }]
}
loki.source.file "local_files" {
targets = local.file_match.podlogs.targets
forward_to = [loki.process.drop_prefix.receiver]
}
loki.process "drop_prefix" {
stage.regex {
expression = "(?P<trash>^([^ ]+) ([^ ]+) ([^ ]+))(?P<rest>.*)"
}
stage.label_drop {
values = ["trash"]
}
forward_to = [loki.write.push_logs.receiver]
}
loki.write "push_logs" {
endpoint {
url = "http://localhost:3100/loki/api/v1/push"
}
}
Beta Was this translation helpful? Give feedback.
All reactions