sumith
1
Hi all,
I’m using Alloy to collect logs from Kubernetes pods, and my current configuration uses:
local.file_match "pod_logs" {
path_targets = [
{ __path__ = "/var/log/pods/**/*.log" },
]
}
loki.source.file "pod_logs" {
targets = local.file_match.pod_logs.targets
forward_to = [loki.write.victorialogs.receiver]
}
This works fine for tailing the logs, but I don’t get any Kubernetes metadata (namespace, pod name, container, node) attached to the logs.
I cannot use discovery.kubernetes because Alloy is deployed after my application, so I would miss the initial logs.
My questions:
- How can I enrich logs collected via
local.file_match + loki.source.file with Kubernetes metadata?
- Can I extract namespace/pod/container/node from the file path (
/var/log/pods/<namespace>_<pod>_<uid>/<container>/0.log) inside Alloy?
- Is there an Alloy-native way to map hostPath logs to Kubernetes metadata without using
discovery.kubernetes?
I don’t think you can. Most of the metadata are gathered from API, and if you don’t hit the API then you wouldn’t get those info.
See here for example on how to collect pod logs with API: Collect Kubernetes logs and forward them to Loki | Grafana Alloy documentation
sumith
3
Is there a way to parse the log file path to extract Kubernetes metadata such as namespace, pod name, and container?
"_msg": "2025-09-23T20:40:43.775038829+00:00 stderr F [D 250923 20:40:43 core:106] operatio completed",
"_stream": "{filename=\"/var/log/pods/testns_app-runner-5c74787c6b-sp4t2_33e370dc-2813-43d7-8692-5334f542b0e1/app-runner/7.log\"}",
"_stream_id": "0000000000000000b46e903fcc65a5f03176dcbee19b35ea",
"_time": "2025-09-23T20:40:43.905881023Z",
"filename": "/var/log/pods/testns_app-runner-5c74787c6b-sp4t2_33e370dc-2813-43d7-8692-5334f542b0e1/app-runner/7.log"
Looking at your example log, i see pod name, but which part is the namespace, and which part is the container name?
sumith
5
-
Namespace: testns
-
Pod Name: app-runner-5c74787c6b-sp4t2
-
Instance/UID: 33e370dc-2813-43d7-8692-5334f542b0e1
-
Container Name: app-runner
-
``
In the log path:
/var/log/pods/<namespace>_<pod name>_<pod uid>/<container name>/<instance>.log
With file_match you’ll always get a filename label, you can then use regex to parse the file name and then extract what you need.
sumith
7
i tried that regex on filename and that didn’t work. do have any reference or samples?
sumith
9
stage.regex {
expression = “^/var/log/pods/(?P[^]+)(?P[^]+)(?P<pod_uid>[^/]+)/(?P[^/]+)/(?P[^/]+)\.log$”
source = “filename”
}
- You have 4 incomplete group capture.
- You need to escape special characters such as
/.
- You should use ` to enclose the regex string in Alloy, if you use double quote you need to double escape special characters.
Try this:
expression = `^\/var\/log\/pods\/(?P<namespace>[^_\/]+)_(?P<pod_name>[^_\/]+)_(?P<pod_Id>[^_\/]+)\/(?P<container_name>[^\/]+)\/(?P<instance>[^\/]+)\.log$`
1 Like
