I am using promtail to handle syslog events. I can see how I would map syslog_message_app_name to a label, but my understanding is that I should avoid having too many labels because each creates another stream. But, when I look at the fields available for filtering, I do not see app-name or anything similar. I would think that the app name would be available as a field if I don’t map it to a label.
For example, how would I filter for log entries from postfix without setting a label? If I filter on {host="dashboard"} |="postfix", I don’t get any log entries from postfix, but I get entries from other applications that mentioned postfix.
Hey @davidnusbaum - how many additional labels do you have? Also, what would you estimate to be the number of unique applications that would log to syslog?
Right now I have the job and host labels.
I looked at the logs on one of my servers and it had 24 different app names. There could be more, must I think 24 at least gives an order of magnitude.
Thank you!
I had missed the best practices document when I was searching around for more info. So far I’m really impressed with Loki and it’s going to solve some problems for us. My biggest challenge has been in picking the right path forward.
syslog vs static
Use rsyslog to forward logs to a rsyslog endpoint and then run promtail on just the one server vs promtail on each server
Plus, I keep finding problems to solve because I’m finding log messages that used to go unnoticed
That’s great to hear @davidnusbaum!
If you’re happy with the solution, please mark it as such so the next person with a similar query can find the solution quickly.
