Hi
I’m trying to create a counter showing topk firewall connection attempt rate by geoip_country_name.
I’d given up querying Loki directly and have tried exporting custom values to prometheus using the following lines:
- metrics:
src_country:
type: Counter
description: “Source Country”
source: geoip_country_name
config:
match_all: true
action: inc
queuing my server on port http://[host]:9080/metrics yields lines like:
promtail_custom_src_country{geoip_autonomous_system_number=“11664”,geoip_autonomous_system_organization=“Techtel LMDS Comunicaciones Interactivas S.A.”,geoip_continent_code=“SA”,geoip_country_name=“Argentina”,geoip_timezone=“America/Argentina/Buenos_Aires”} 1
promtail_custom_src_country{geoip_autonomous_system_number=“135377”,geoip_autonomous_system_organization=“UCLOUD INFORMATION TECHNOLOGY HK LIMITED”,geoip_continent_code=“AS”,geoip_country_name=“Thailand”,geoip_timezone=“Asia/Bangkok”} 1
promtail_custom_src_country{geoip_autonomous_system_number=“16276”,geoip_autonomous_system_organization=“OVH SAS”,geoip_continent_code=“NA”,geoip_country_name=“Canada”,geoip_timezone=“America/Toronto”} 1
My question: How do I reduce the my prometheus output to only Promtail_custom_src_country= = value?
and here’s my /etc/loki/config.yml, with comments stripped
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
scrape_configs:
-
job_name: firewall
pipeline_stages:- regex:
expression: ‘((?P\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}+\d{2}:\d{2})\s(?P\w+)\s(?P\w+)\s(?P[^:]+):\s)?in:(?P<input_interface>[^,]+)\s+out:(?P<output_interface>[^,]+),\sconnection-state:(?P[^\s]+)\s+(?:src-mac\s+(?P[^,]+),\s+)?proto\s+(?P\w+)(?:\s+((?P[^)]+)))?,\s+[?(?P<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|[a-f\d:]+)]?(?::(?P\d+))?->[?(?P<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|[a-f\d:]+)]?(?::(?P<dst_port>\d+))?,\s(NAT\s?[?(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|[a-f\d:]+)]?(?::(?P\d+))?->([?(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|[a-f\d:]+)]?(?::(?P\d+))?->[?(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|[a-f\d:]+)]?(?::(?P\d+))?),\s)?len\s+(?P\d+)’ - geoip:
db: “/var/lib/GeoIP/GeoLite2-Country.mmdb”
source: “src_ip”
db_type: “city” - geoip:
db: “/var/lib/GeoIP/GeoLite2-City.mmdb”
source: “src_ip”
db_type: “city” - geoip:
db: “/var/lib/GeoIP/GeoLite2-ASN.mmdb”
db_type: “asn”
source: “src_ip” - labelallow:
- geoip_country_name
- geoip_continent_code
- geoip_timezone
- geoip_autonomous_system_number
- geoip_autonomous_system_organization
- labeldrop:
- geoip_postal_code
- geoip_subdivision_code
- geoip_subdivision_name
- geoip_location_latitude
- geoip_location_longitude
- metrics:
src_country:
type: Counter
description: “Source Country”
source: geoip_country_name
config:
match_all: true
action: inc - labels:
v4orv6:
geoip_country_name:
geoip_continent_code:
geoip_timezone:
ConStat:
static_configs:
- targets:
- localhost
labels:
job: firewall
path: /var/log/router.log
- localhost
- regex:
Thanks in advance for your help (and the great products)!