Invert regex in drop action

Hello.

I want logs only message with pattern oom-killer. I tested regex in regex101, but in promtail not work. Can i log message with only “oom-killer” pattern?

/usr/local/bin/promtail -config.file=/etc/promtail/promtail.yml -log.level=debug -config.expand-env=false --dry-run --inspect
echo “oom-test” | systemd-cat

2024-02-29T13:28:00.397881+0000{job=“systemd-journal”}oom-test
level=debug ts=2024-02-29T13:28:00.712036544Z caller=drop.go:217 component=journal_pipeline component=stage type=drop msg=“line will not be dropped, the provided regular expression did not match the log line”

scrape_configs:
  - job_name: journal
    journal:
      max_age: 12h
      labels:
        job: systemd-journal
        hostname: ''
    relabel_configs:
      - source_labels: ["_journal_systemd_unit"]
        target_label: "unit"
    pipeline_stages:
      - drop:
          expression: ".*!?oom-killer.*"

The drop stage uses RE2 (see drop | Grafana Loki documentation), so when testing you’ll want to make sure you select golang and version 2.

It’s a pain in general to write regex not containing something. So I recommend you to do it the other way around. Mock logic below:

1. Use regex to group capture string oom-killer.
2. Use match stage to match the group capture for anything that’s not oom-killer, then drop.
3. Whatever else can be put after the match/drop stage.

Mock config (not tested):

pipeline_stages:
  - regex:
      expression: ".*(?P<drop_key>oom-killer).*"
  - labels:
      drop_key:
  - match:
      selector: '{drop_key!="oom-killer"}'
      action: drop

<whatever else>