Is it possible to capture a string with a space in it?

pavelnarozhny88 · June 7, 2023, 12:49pm

Hi

Is it possible to capture a string with a space in it? I am parsing the log for labels, because it is crooked in the source without labels. I use pattern. Cannot capture date and time in one tag

Example Log

INFO: GeoBlock: 2023/06/04 08:25:30 geoblock@file: request denied [183.136.225.45] for country [CN]

Query

sum by (message, country, date, time, ip) (rate({container_name="traefik"} | logfmt | __error__=`` | pattern `<_>: <_>: <date> <time> <_>: <message> [<ip>] <_> [<country>]` [$__range]))

usman.ahmad · June 7, 2023, 1:22pm

Hi @
pavelnarozhny88,

Thanks for opening this issue.

Please review the submission template and include more details:

What Grafana version and what operating system are you using?
What is your datasource?
What visualization panel you are using e.g. time-series, bar chart, histogram etc?
What are you trying to achieve?
How are you trying to achieve it?
What happened?
What did you expect to happen?
Can you copy/paste the configuration(s) that you are having problems with?
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
Did you follow any online instructions? If so, what is the URL?

pavelnarozhny88 · June 7, 2023, 1:29pm

I’m trying to combine date and time into one column in the table. So that the filtering by columns works properly.

I pull logs from the docker, there is a log that can not be pulled normally without pattern

usman.ahmad · June 7, 2023, 1:32pm

Thanks,

I think this seems more like Loki LogQL related question.

I am not the best guy to help with the Loki stuff. So I will move this post to the correct category so that the folks there can help you out.

Also, we do have LogQL documentation page where some examples are available. Maybe there are some tips regarding so please check it out as well.

pavelnarozhny88 · June 7, 2023, 1:34pm

I read the instructions. It does not contain the right example

tonyswumac · June 7, 2023, 5:42pm

You can use pattern and then combine datestamp and timestamp with line_format. I have an example on your other posts that you can reference to.

However, I would say that in general you should not have to or want to parse log lines for time stamps. You should be doing that during log ingestion, so that the logs are stored on Loki with the correct time stamp matching that of the log lines.

pavelnarozhny88 · June 8, 2023, 1:30am

Example please
The table does not have a time parameter. More precisely, there is, but it transmits the current local time

pavelnarozhny88 · June 8, 2023, 11:56am

So it didn’t work

sum by(date, time, message, country, request_addr) (rate({container_name="traefik"} | logfmt | line_format "{{.date}} {{.time}}" | __error__=`` |~ `$geoblock` | pattern `<_>: <_>: <date> <time> <_>: <message> [<request_addr>] <_> [<country>]` [$__range]))

tonyswumac · June 8, 2023, 4:27pm

| pattern "<_> <_> <date> <time>" | line_format "{{.date}}-{{.time}} {{__line__}}"

Your log line becomes:

2023/06/04-08:25:30 geoblock@file: request denied [183.136.225.45] for country [CN] INFO: GeoBlock: 2023/06/04 08:25:30 geoblock@file: request denied [183.136.225.45] for country [CN]

Again, this is not how you should do it. See my other reply below.

tonyswumac · June 8, 2023, 4:29pm

That’s what I was referring to in my original post. You should parse your logline and change the timestamp to that instead of using local time of your log agent. I don’t know what log agent you use, but a generic flow should be something like this:

Given log line:

INFO: GeoBlock: 2023/06/04 08:25:30 geoblock@file: request denied [183.136.225.45] for country [CN]

Parse it (however your log agent does it) and get the date and time (2023/06/04 08:25:30).
Set the log line timestamp to 2023/06/04 08:25:30.
Forward to Loki.

pavelnarozhny88 · June 10, 2023, 1:13pm

Is there an example of how to use it? I can’t analyze the log properly

pavelnarozhny88 · June 10, 2023, 4:24pm

tonyswumac · June 12, 2023, 3:58pm

Using your original log line, assuming you are using promtail:

INFO: GeoBlock: 2023/06/04 08:25:30 geoblock@file: request denied [183.136.225.45] for country [CN]

Promtail pipeline stage;

pipeline_stages:
  - regex:
      expression: '^(?:\S+): (?:\S+): (?P<timestamp>\S+ \S+) (?:.*)'
  - timestamp:
      source: timestamp
      format: '2006/02/01 15:04:05'

pavelnarozhny88 · June 27, 2023, 11:31am

Ty!
Made it like this

system · June 26, 2024, 11:32am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timestamp not recognized in old logs / regex Grafana Loki loki , regex , timestamp	3	1382	April 25, 2024
From loki to chart problem Grafana Loki loki , grafana	4	572	May 17, 2024
MSSQL servers logs extracted to loki Grafana dashboard with space in between character's Grafana Loki mssql	15	2398	May 23, 2024
Basic question about parser pattern syntax Grafana Loki	2	1498	October 27, 2022
Extract number from log line (json) Grafana loki	5	1521	February 2, 2024

Is it possible to capture a string with a space in it?

Related topics