How can I get the journal's timestamp in promtail?

When parsing the systemd journal with promtail, can I replace the generated timestamp (time of processing) with the one from the journal (orignal timestamp of journal entry)?

You can see this Stack Overflow Question for some background.

Hello,
Yes it is possible, but by default syslog saves the timestamp without the year, it is possible to change this behavior. can you send me a sample log line?

Hey @palw3ey thanks for the reply and sorry for my late response.

This is my config for promtail:

scrape_configs:
  - job_name: systemd-journal
    journal:
      labels:
        job: systemd-journal
    relabel_configs:
      # add label unit
      - source_labels: ["__journal__systemd_unit"]
        target_label: "unit"
      # add label level (priority)
      - source_labels: ["__journal_priority_keyword"]
        target_label: "level"
      # get timestamp
      - source_labels: ["__journal_syslog_timestamp"]
        target_label: "syslog_timestamp"
      # add syslog ID
      - source_labels: ["__journal_syslog_identifier"]
        target_label: "syslog_identifier"
    pipeline_stages:
      # TODO: set timestamp to value from log
      # FIXME: `systemd_timestamp` never shows up in packed labels
      - timestamp:
          source: __journal_syslog_timestamp
          format: UnixMs
      # pack non-selector labels (to prevent indexing)
      # note: you need to `… | unpack` results to access these in queries
      - pack:
          labels:
            - level
            - syslog_identifier
            - syslog_timestamp
            - unit

All packed labels except syslog_timestamp work fine. syslog_timestamp fails to show up, but it seems to work when debugging with promtail … --dry-run --inspect, e.g. see this (slightly redacted) log line:

2023-07-18T15:31:36.736335299+0000	{job="systemd-journal", syslog_timestamp="1689694296733675"}	{"level":"info","syslog_identifier":"systemd","_entry":"log message"}
[inspect: timestamp stage]: 
{stages.Entry}.Entry.Entry.Timestamp:
	-: 2023-07-18 15:31:36.790768 +0000 UTC
	+: 53546250-09-23 14:11:14 +0000 UTC

@brutus
The label syslog_timestamp=“1689694296733675” uses 16 characters, You can try format: UnixUs instead of UnixMs. Change the source to syslog_timestamp

     - timestamp:
         source: syslog_timestamp
         format: UnixUs

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.