When parsing the systemd journal with promtail, can I replace the generated timestamp (time of processing) with the one from the journal (orignal timestamp of journal entry)?
You can see this Stack Overflow Question for some background.
When parsing the systemd journal with promtail, can I replace the generated timestamp (time of processing) with the one from the journal (orignal timestamp of journal entry)?
You can see this Stack Overflow Question for some background.
Hello,
Yes it is possible, but by default syslog saves the timestamp without the year, it is possible to change this behavior. can you send me a sample log line?
Hey @palw3ey thanks for the reply and sorry for my late response.
This is my config for promtail:
scrape_configs:
- job_name: systemd-journal
journal:
labels:
job: systemd-journal
relabel_configs:
# add label unit
- source_labels: ["__journal__systemd_unit"]
target_label: "unit"
# add label level (priority)
- source_labels: ["__journal_priority_keyword"]
target_label: "level"
# get timestamp
- source_labels: ["__journal_syslog_timestamp"]
target_label: "syslog_timestamp"
# add syslog ID
- source_labels: ["__journal_syslog_identifier"]
target_label: "syslog_identifier"
pipeline_stages:
# TODO: set timestamp to value from log
# FIXME: `systemd_timestamp` never shows up in packed labels
- timestamp:
source: __journal_syslog_timestamp
format: UnixMs
# pack non-selector labels (to prevent indexing)
# note: you need to `… | unpack` results to access these in queries
- pack:
labels:
- level
- syslog_identifier
- syslog_timestamp
- unit
All packed labels except syslog_timestamp
work fine. syslog_timestamp
fails to show up, but it seems to work when debugging with promtail … --dry-run --inspect
, e.g. see this (slightly redacted) log line:
2023-07-18T15:31:36.736335299+0000 {job="systemd-journal", syslog_timestamp="1689694296733675"} {"level":"info","syslog_identifier":"systemd","_entry":"log message"}
[inspect: timestamp stage]:
{stages.Entry}.Entry.Entry.Timestamp:
-: 2023-07-18 15:31:36.790768 +0000 UTC
+: 53546250-09-23 14:11:14 +0000 UTC
@brutus
The label syslog_timestamp=“1689694296733675” uses 16 characters, You can try format: UnixUs instead of UnixMs. Change the source to syslog_timestamp
- timestamp:
source: syslog_timestamp
format: UnixUs
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.