Consider the following log lines (assume one single line):
{
"timestamp": "<TS>",
"client_ip": "<IP>",
"event_ids": [
"event1","
"event2"
]
}
Is it possible to somehow aggregate and group by client_ip and event_ids? In this example it would essentially be two groups, (, “event1”) and (, “event2”).
are you talking about doing this in Loki? or some other way?
In Loki, yeah. I do have a feature request to add some sort of split function to Promtail as a workaround: Add Split Filter to Promtail · Issue #7998 · grafana/loki · GitHub
What I am currently doing is use logstash to do the split before sending logs to Loki, effectively duplicating logs for number of delimited fields. Definitely convoluted, and was wondering if anyone has a better solution.