Hi, I deployed promtail with helm chart to receive syslog from rsyslogd and send them to Loki. It works fine.
I want to manipulate the syslog format to enhance Loki performance, but fail to make the template stage work properly.
I have this sample log below with typical syslog labels like app_name, facility, severity and so on
I want to put some of those labels into the log line, and make the log line a json-like string, so I can reduce the usage of labels and enhance the performance, and still use |json to parse the log line.
Ideally, the log line should be like
{"app_name":"some app name","facility":"local7","proc_id":"9233","severity":"informational","message":"Event|6901|LOG_INFO|AMM|-|An action has been triggered by the NAE agent L2X-Watchdog"}
And some labels are kept like below
cluster:some_cluster_name
data_type:some_device-syslog
host: some_hostname
Under the extraScrapeConfigs in values.yaml, the relabel_configs part works as expected, but in the template stage, none of those key references returns any values. The log line becomes an empty string.
- job_name: syslog
syslog:
listen_address: 0.0.0.0:{{ .Values.extraPorts.syslog.containerPort }}
use_incoming_timestamp: true
labels:
cluster: some_cluster_name
data_type: some_device-syslog
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: host
- source_labels:
- __syslog_message_severity
target_label: severity
- source_labels:
- __syslog_message_facility
target_label: facility
- source_labels:
- __syslog_message_app_name
target_label: app_name
- source_labels:
- __syslog_message_proc_id
target_label: proc_id
pipeline_stages:
- template:
source: message
template: '{{ .severity }} {{ .facility }} {{ .app_name }} {{ .proc_id }} {{ .Entry }}'
- output:
source: message
Below are what my empty log lines look like
Please tell me if I did something wrong. Thank you
The chart I use
cat Chart.yaml
apiVersion: v2
appVersion: 2.5.0
description: Promtail is an agent which ships the contents of local logs to a Loki
instance
home: new user can only post two links
icon: new user can only post two links
maintainers:
- email: lokiproject@googlegroups.com
name: Loki Maintainers- name: unguiculus
name: promtail
sources:- new user can only post two links
type: application
version: 6.0.0