Creating graph from logs using labels

graphana18 · January 6, 2024, 11:26am

Hello everybody,

I am wrestling with my new installation of Promtail-Loki-Grafana to obtain a graph from Fail2ban showing the amount of detection by IP.

For now my request is the following :

count_over_time({filename=“/var/log/fail2ban.log”} |= Ban | logfmt | pattern <date> <time>,<_> fail2ban.<_> [<_>]: <_> [<service>] <action> <ip> [24h])

It’s creating a label for each line in the following format :

{action=“Ban”, date=“2024-01-01”, filename=“/var/log/fail2ban.log”, ip=“88.214.25.241”, job=“varlogs”, service=“sshd”, time=“21:00:39”}

I expected to have several labels : action, ip, service, date, time. Maybe there is another approach to do this but at this moment every search I do point to this method or regex but I don’t really understand how to extract the desired labels and use them as axis in a barchart for example. How can I achieve this result ?

Thank you in advance for looking at my post

b0b · January 8, 2024, 12:03pm

You should be able to use any parsed field like this (the level field is extracted using the logfmt parser)

sum by (level) (count_over_time({container="prometheus"} | logfmt [1m]))

This gives me a graph per level. The same should be possible using the pattern parser as well.

graphana18 · January 11, 2024, 12:44pm

Thank you, I have been able to do it. It’s easier to setup some labels with promtails to extract the IPs before sending them to Loki with a regex. I also had some issues with the timestamps which were fixed the same way. For additional information, here is my promtail configuration for fail2ban :

- job_name: fail2ban
  static_configs:
  - targets:
      - localhost
    labels:
      job: fail2ban
      __path__: /var/log/fail2ban.log
  pipeline_stages:
  - regex:
      expression: '^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) (?P<log_component>[\w.]+)\s+\[(?P<id>\d+)\]: (?P<level>\w+)\s+\[(?P<service>[^\]]+)\] (?P<action>Restore Ban|Increase Ban|Ban|Unban|Found)(?:.*(?:\s|\b))(?P<ip>\d{1,3}(?:\.\d{1,3}){3})(?:, (?P<is_bad>bad))?'
  - timestamp:
      source: timestamp
      format: '2006-01-02 15:04:05,000'
      location: "Europe/Paris"
  - labels:
      service:
      ip:
      action:
      is_bad:

system · January 10, 2025, 12:44pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing logs with promtail and loki Grafana Loki loki , configuration , promtail	16	17105	September 21, 2024
Unable to add labels to the logs Grafana Loki loki , configuration	9	985	October 23, 2024
Promtail - Pipeline stage with Regex is not parsing the log line and creating labels Dashboards loki , promtail	0	999	July 9, 2023
Extract log with labels, also extract metrics with different labels Grafana Loki metrics	5	1812	October 23, 2024
Loki group by label value Grafana Loki	6	11721	May 8, 2024

Creating graph from logs using labels

Related topics