Windows events in promtail, Label value Level replacement not working

Grafana Loki
1

Hi, i am fairly new to Promtail, loki and Grafana. In my company we have an existing Grafana, Loki Stack and push already some logs from k8s, apache etc.
But i am stuck with the scraping of Windows events in particular (we have a german windows systems btw). The events are pushed with “windows_events” and i succuesfully put the level in to a label (because it was only a detected field)
Problem: I cannot get the level which are represented as a number in windows, like 5 - debug, 4, Info etc. to the hardcoded Levelmessage in loki.
I wonder why i dont see anything about that on the internet :frowning:

What i tried: I tried the template replace function and also the regex in one yaml with two jobs. One is check the System and the other the application log of windows. The Replacement is not working, no matter what i try (changed the order, and even tried to relabel levelText to level, which worked , but not the translation like “Informationen” to “info” oder Warnung to warning). LevelText is also not always given, so that workaround is not an option. Here the code

scrape_configs: 
- job_name: windows_system_events
  pipeline_stages:
  - json:
      expressions:
        level: level
        message: message
        timestamp: ts

  - template:
      source: level
      template: '{{ Replace .Value "5" "debug" 1 }}'
  - template:
      source: level 
      template: '{{ Replace .Value "4" "info" 1 }}'
  - template:
      source: level 
      template: '{{ Replace .Value "3" "warning" 1 }}'
  - template:
      source: level 
      template: '{{ Replace .Value "2" "error" 1 }}'
  - template:
      source: level 
      template: '{{ Replace .Value "1" "critical" 1 }}'
  - labels:
      level:
  windows_events:
    use_incoming_timestamp: false
    bookmark_path: "../myserver_system.xml"
    eventlog_name: "System"
    xpath_query: '*'
    labels:
      km_app: 'win_event_log'
  relabel_configs:
    - source_labels: ['computer']
      target_label: 'host'

and the other


- job_name: windows_application_events
  pipeline_stages:
  - json:
      expressions:
        level: level
        message: message
        timestamp: ts
  - replace:
      source: level
      expression: Ausführlich
      replace: debug
  - replace:
      source: level
      expression: Informationen
      replace: info
  - replace:
      source: level
      expression: Warnung
      replace: warning
  - replace:
      source: level
      expression: Fehler
      replace: error
  - replace:
      source: levelText
      expression: Kritisch
      replace: critical
  - labels:
      level:
  windows_events:
    use_incoming_timestamp: false
    bookmark_path: "../mysystem_application.xml"
    eventlog_name: "Application"
    xpath_query: '*'
    labels:
      km_app: 'win_event_log'
  relabel_configs:
    - source_labels: ['computer']
      target_label: 'host'
2

Edit: It works finally all of the sudden, with the template method (without the regex method). I dont know why.

3

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.