Timestamp of last log line, per host

Hello all.
I have Loki ingesting logs from a lot of files, via promtail ; rsyslog is feeding those files.
Every file has its own tag ( excerpt from promtail.yaml ):

  job: extlog3
  customer: customername
  __path__: /srv/data/extlog/customername/*log

I’m trying to build a panel to show the timestamp of the last event, for every log file ; I’m not interested in firing alerts, just in having a look, every now and then, if everithing works fine

In splunk I use this simple query, that selects every last event, by host, and sort them by time in reverse order ( the oldest last )

| tstats latest(_time) as _time where index=$indexname by host  | sort -_time

and generates this panel

I cannot find the way to reproduce this, in logql I can’t even find the “latest” function, or a way to emulate/simulate it …

Thanks for suggestions


I wonder if there is any news on this or new features that might allow for something along these lines?

First I was assuming using an unwrapped range together with last_over_time might work, but since those expressions generically want to have numerical values, I could not get it work as described in the opening post.

I was trying a query like this, but I don’t think the timestamp works as an unwrapped value.

last_over_time({host=~"foo.*"} | logfmt | msg="foobar event" | unwrap duration(timestamp) [$__range]) by (host)

This will always fail with a SampleExtractionErr.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.