Hi there,
I am new to Grafana/Loki/Promtail and I am having a hard time for two months now getting something to work, which I assumed after going through the docs, reading though community here and even trying to have ChatGPT help me out would be an easy task.
I have log files with log lines like this:
2023/04/05 18:18:06 INFO : FilterImages/Img_011X5_2023_02_25-13_32_19.tiff.json: Copied (new)
2023/04/05 18:18:06 INFO : FilterImages/Img_011X5_2023_02_25-13_32_19.tiff.json: Deleted
2023/04/05 18:18:06 INFO : FilterImages/Img_011XH_2023_02_26-10_12_03.tiff.json: Copied (new)
2023/04/05 18:18:06 INFO : FilterImages/Img_011XH_2023_02_26-10_12_03.tiff.json: Deleted
This is the timestamp format in the log file: 2023/04/05 18:18:06
I use regex to capture it:
expression: ‘^(?P\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}) (?PERROR|INFO) : (?P.*)$’
Initially I started with a simple timestamp stage:
- timestamp:
source: timestamp
format: “2006/01/02 15:04:05”
Result was, that there were no results in the query any more…not even any labels made it into Grafana.
Many many hours and iterations later I decided to do the reformatting to Loki’s default timestamp myself hoping for better results.
This is my current promtail config:
server:
http_listen_port: 9080
grpc_listen_port: 0
log_level: debug
positions:
filename: C:\Grafana\LokiPromTrail\PromTailPositions\positions.yaml
clients:
scrape_configs:
- job_name: rclone
static_configs:- targets:
- localhost
labels:
path: C:/Grafana/LokiPromTrail/rctest.log
job: rclone
versioncounter: 55
pipeline_stages:
- localhost
- regex:
expression: ‘^(?P\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}) (?PERROR|INFO) : (?P.*)$’ - template:
source: extractedtimestamp
#from 2006/01/02 15:04:05 to 2006-01-02 15:04:05
template: ‘{{ Replace .Value “/” “-” 2 }}’ - template:
source: extractedtimestamp
#from 2006-01-02T15:04:05 to 2006-01-02T15:04:05-07:00
template: ‘{{ Replace .Value " " “T” 1 }}+02:00’ - labels:
reformattedtimestamp: extractedtimestamp
level: levelmessage: message
- timestamp:
source: extractedtimestamp
format: RFC3339inital easy setup format: “2006/01/02 15:04:05”
- targets:
As you can see I added template stages to transform the extracted timestamp to the RFC339 format. I also put the result into a label just so that I could see it in Grafana.
I am running promtail in debug level:
level=debug ts=2023-04-08T08:45:55.2500749Z caller=regex.go:132 component=file_pipeline component=stage type=regex msg=“extracted data debug in regex stage” extracteddata=“map[extractedtimestamp:2023/04/05 19:30:16 filename:C:/Grafana/LokiPromTrail/rctest.log job:rclone level:INFO message:BlemishImages/Blemish_LogFile_01171_2023_02_09-12_50_38.json: Copied (new) versioncounter:55]”
What I get in Grafana when doing a query is this: I see the labels and the content of the labels. The reformattedtimestamp label does show all the timestamps of the log lines.
I have changed the defaut loki config and added this:
limits_config:
reject_old_samples: false
reject_old_samples_max_age: 4w
I use the time range in the Grafana Explorer as now-7d to now.
But I get no results from a query whatsoever.
Removing the timestamp stage lead to perfect results (except the timestamp of course).
I am running on Windows with the latest versions of Grafana/Loki/Promtail available in Februar.
Any ideas where to look at?