Log lines are not in order after ingesting to Loki

Grafana Loki
,
1

Hi There,

I am ingesting log files to Loki via Fluentbit, but I found the log lines with same timestamp were not showing in order as they are in the original log files:

original log lines:

[D 2024-06-19 17:25:02.417 26256 17660 - - ldap3:118] BASIC:instantiated Tls: <Tls(validate=<VerifyMode.CERT_NONE: 0>)>

[D 2024-06-19 17:25:02.417 26256 17660 - - ldap3:118] BASIC:instantiated Server: <Server(host=‘shgmwcdc01.cod.ms.com.cn’, port=636, use_ssl=True, allowed_referral_hosts=[(‘*’, True)], tls=Tls(validate=<VerifyMode.CERT_NONE: 0>), get_info=‘SCHEMA’, mode=‘IP_V6_PREFERRED’)>

[D 2024-06-19 17:25:02.417 26256 17660 - - ldap3:118] ERROR:unknown strategy for <ldaps://shgmwcdc01.cod.ms.com.cn:636 - ssl - user: itsm_api_qa - not lazy - unbound - closed - - tls not started - not listening - No strategy - internal decoder>

[D 2024-06-19 17:25:02.417 26256 17660 - - ldap3:118] BASIC:instantiated : <ldaps://shgmwcdc01.cod.ms.com.cn:636 - ssl - user: itsm_api_qa - not lazy - unbound - closed - - tls not started - not listening - No strategy - internal decoder - async - real DSA - not pooled - cannot stream output>

[D 2024-06-19 17:25:02.417 26256 17660 - - ldap3:118] BASIC:instantiated Connection: <Connection(server=Server(host=‘shgmwcdc01.cod.ms.com.cn’, port=636, use_ssl=True, allowed_referral_hosts=[(‘*’, True)], tls=Tls(validate=<VerifyMode.CERT_NONE: 0>), get_info=‘SCHEMA’, mode=‘IP_V6_PREFERRED’), user=‘itsm_api_qa’, auto_bind=‘NO_TLS’, version=3, authentication=‘SIMPLE’, client_strategy=‘RESTARTABLE_ASYNC’, auto_referrals=True, check_names=True, read_only=False, lazy=False, raise_exceptions=False, fast_decoder=True, auto_range=True, receive_timeout=15, return_empty_attributes=True, auto_encode=True, auto_escape=True, use_referral_cache=False)>

In Grafana:

image
image1800×219 133 KB

Per the suggestion in cannot order loki entries with same timestamp · Issue #56071 · grafana/grafana · GitHub, I set increment_duplicate_timestamp as true, but still no luck.

Any ideas about this?

I am running Loki in K8S with version 2.9.8.

2

Here is the stdout from fluentbit, which is in the same order as the original log files:

image
image2540×245 40.8 KB

3

Well, the interesting part is, if I toggle Newest first in Grafana, the log lines were showing as expected, in the correct reversed order though:

image
image1789×239 147 KB

4

hi @tonyswumac , could you please help check on this issue?

5

I’ll need to run some test tomorrow to see if increment_duplicate_timestamp works or not. But couple of things you could try:

  1. If you expand your logline in the explore view you should be able to see the timestamp in ns. Compare that to all your logs and see if it’s increasing. If not then either increment_duplicate_timestamp didn’t work for you or it’s not configured for some reason.

  2. As you probably read in the config page, increment_duplicate_timestamp is not perfect. But it looks like your logs are from the same container so it probably shouldn’t be an issue. I’ll test tomorrow and let you know what I find.

  3. Try an API call, and see if the timestamp returned is being incremented.

6

Hi Tony,
Thanks for your suggestion and here is the output:

  1. Logcli

    image
    image2549×355 61.3 KB

    Order is correct, though there is no millisecond part in the timestamp, did I miss some parameter?

  2. API

    image
    image2553×843 158 KB

    Order is correct, so is the timestamp, but the nanosecond is not incremented as expected.

Looking forward to your further test.

7

It seems this is similar to "Show Context" doesn't show surrounding lines when multiple lines have the same timestamp · Issue #64966 · grafana/grafana · GitHub, but that issue was closed.

8

I did some testing on the configuration increment_duplicate_timestamp, and I can’t seem to make it work either. I did three tests, all three tests were done with monolithic Loki deployment and with API call.

First test: Loki 2.9.8, increment_duplicate_timestamp set to false.
Second test: Loki 2.9.8, increment_duplicate_timestamp set to true.
Third test: Loki 3.0.0., increment_duplicate_timestamp set to true.

In all three tests the timestamp remains the same for all the logs. I purposely set the timestamp to be 0000 on the last 4 digits (so should be same millisecond), and I did not see any change on timestamp regardless of what increment_duplicate_timestamp was set to.

I will probably look at the code and see what I can find when i have some time, but hopefully someone more knowledgable can chime in.

9

I should also point out though, that I did not see the problem you are experiencing, meaning when I did my test I sent in 10 log lines for each test, from number 1 to 10. And when querying they did show up in order in Grafana and API call, it’s just that you can’t reverse or change the order from the explore UI because they all had the timestamps, but nevertheless they still showed up in order.

10

hi @tonyswumac,

Thanks for your effort on this, really appreciated that.

Is fluent-bit the log shipper you were testing? Could you please test the log files in my case as well at your convenience?

Per my test, the result of either API or Logcli is correct but Grafana, I am suspecting whether this is a Grafana issue.

I will try some other log files further.

11

I ran my tests using just API calls. If you are using fluent bit I’d recommend double checking and see if you are using multiple threads. If you are using multiple threads then your logs could arrive out-of-order if you are sending logs to Loki with more than one threads.

12

All system level config in fluent-bit is as default.

The log lines with same timestamp are only reversely ordered in Grafana but not in: Loki API, Loki logcli and Fluentbit console.

13

BTW what do you mean exactly by “reversed ordered”?

If you send the following lines of logs with the same timestamp:

line1
line2
line3

In Grafana you’ll always see

line3
line2
line1

Is this what you are seeing? If so this is normal, because grafana by default always shows the latest logs first, and because your logs have the same timestamp you can’t reverse the order.

1 Like
14

Yes Tony, that is my case!

I just check the log visualization of Grafana:

  • Order - Display results in descending or ascending time order. The default is Descending, showing the newest logs first. Set to Ascending to show the oldest log lines first.

So it is by design, isn’t it?

I am afraid end user might be confused or even misguided by the reversed order from line3 to line1, as the real order is from line1 to line3 in the original logs.

Is there any workaround we can do?

15

Btw, logcli only supports second instead of millisecond, there is a bug opened already: Support subsecond resolution timestamps in logcli's default output mode · Issue #9635 · grafana/loki · GitHub, any news for this from your side?

16

This is what increment_duplicate_timestamp is supposed to fix, but it seems to not work. I don’t know if there is a way to change the default display order from Grafana, I did a quick search and couldn’t find a configuration for it, but I am also not an expert on Grafana.

I think your best bet is to educate users accordingly for now, and consider adding nanoseconds to your logs if your app supports it. Short of that, we’d have to see if a developer can pick up your github issue.

I don’t use LogCLI myself, so never actually noticed it. I usually use API call if I need to poke at Loki outside of Grafana.

17

Thanks Tony for the suggestion.

I just reopened the issue:

And I also opened another one in Grafana for the display:

Hope there would be some response from the developers.

Will close this one for now.

Good day!