Design, best practise for collecting data from different sources

Hi, I am new to Grafana Alloy and have a design and best practices question.
We want to collect logs from various systems, such as Windows Event Logs and Linux journald logs.

In my test lab, I have configured a central Alloy instance that receives logs from Alloy agents installed on Windows and Linux systems. Later, we also plan to process logs from network devices (classic syslog).

The central Alloy instance should label, process, filter, and send the logs to different backends. One backend is Loki, and the other is Splunk.

I have attached a screenshot of my current test pipeline. I want to add some labels specific to Windows logs and Linux logs so that I can filter them later. (Left path is for linux and right path for windows)

However, I am wondering what happens to log lines that pass through both paths. For example, if I make a configuration mistake, will they be duplicated in loki.write.as_logsink_all?

Would it be better to create multiple loki.source.api endpoints with fixed label sets? Or should labels be added on the client side whenever possible?

Thanks!

My personal preference usually is to let individual Alloy agents on the hosts do the parsing. And your central Alloy instance would be purely a proxy between your various agents and Loki. This has the benefit of keeping each log pipeline separate.

If you intend to do all the parsing on your central Alloy instances, then I would recommend having something to separate logs from individual sources. You don’t need to configure multiple API endpoints for this, just have some sort of identifying labels would be enough.

For example, you could designate a label say alloy_pipeline_id or something like that, and on your Windows hosts you’d set it to alloy_pipeline_id = windows using external label, and on linux it could be alloy_pipeline_id = linux, and then from your central Alloy it would simply be using multiple matching blocks to match each of them.

Thank you for your suggestion. I will try the ‘centralized’ approach first. If it turns out to be too complicated, I will switch to the individual alloy configuration.