I can't for the life of me figure out how to parse json timestamp in promtail config.yml

Greetings folks,

I have reached the end of the internet, searched everywhere. Decided to post here, I’d appreciate some help.

My log file is json formatted that looks like this:

{"timestamp": "2022-11-21T23:53:29.836288+00:00", "method": "GET", "path": "/login", "level": "info"}

When parsing using promtail pipeline stages, I have the following timestamp format:

scrape_configs:
  - job_name: my_job
    pipeline_stages:
      - json:
          expressions:
            time: timestamp
          timestamp:
            source: time
            format: 2006-01-02T15:04:05.000000-07:00
    static_configs:
      - targets:
          - localhost
        labels:
          job: web-access
          __path__: /var/log/my_project/web_access.log

But when running promtail and checking the logs in Loki, the line timestamp is always the time when promtail exported the logs, but not the actual time of the event from the json timestamp field. This is the default that I am trying to override.

Any thing I am doing wrong here? I’ve tried various things from changing the key “timestamp”, “time”, etc. Also read all stackoverflow posts associated with this issue.

Thank you!
NPG

I figured out the problem. It was my mistake. “timestamp” pipeline step needs to be indented at the same level as “json”, like so:

scrape_configs:
  - job_name: my_job
    pipeline_stages:
      - json:
          expressions:
            time: timestamp
      - timestamp:
          source: time
          format: 2006-01-02T15:04:05.000000-07:00
    static_configs:
      - targets:
          - localhost
        labels:
          job: web-access
          __path__: /var/log/my_project/web_access.log

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.