Loki.process will not rewrite timestamp

bkerwin · May 29, 2025, 2:59pm

Hello community. I have been at this for days. I cannot get loki to take the timestamp from my log files. It will only use scrape time. I have read dozens of threads and examples on this topic and can’t seem to find the magic. I have output my regex extracted timestamp as a label to troubleshoot that it is extracting ok which it is, so I know the loki.process is working. Below is my snippet as well as a log file line example. Any help is greatly appreciated.

log line:
2025-05-28 05:56:23.616 -07:00 [INF] == Lender import File processing started
my timetsamp label outputs:
2025-05-28 05:56:23.616

loki.process “labels” {

stage.regex {
expression = (?P<timestamp>(?:\d{4}|\d{2})-\d{2}-\d{2} \d{2}:\d{2}:\d{2}(\.|,)\d{3})(.*$)
}

stage.timestamp {
source = “timestamp”
format = “RFC3339”
fallback_formats = [“2006-01-02 03:04:05.000”,“2006-01-02 03:04:05,000”]
}

// Testing only
stage.labels {
values = {
timestamp = “”,
}
}

stage.static_labels {
values = {
service_name = “Bryanmgmt01”,
environment = “Bryanmgmt01”,
}
}

stage.output {
source = “message”
}

forward_to = [loki.write.loki.receiver]

}

bkerwin · May 29, 2025, 5:40pm

Finally got this working with correct timestamp. Found one issue in my config. I needed to change 12 hour time to 24 hour time. so now I have the 15 instead of the 03 for the hour:
fallback_formats = [“2006-01-02 15:04:05.000”,“2006-01-02 15:04:05,000”]

Also, I was using older logs with older timestamps for testing and for some reason loki doesn’t like this even if I set “tail_from_end” to false. A bit concerning I can’t pull in older log lines. Maybe there is a better way for it to set that point it thinks it left off at? What if I want to ingest an entire logfile even if it is days old?

tonyswumac · May 29, 2025, 5:47pm

There are two conditions for sending old logs into Loki:

Make sure reject_old_samples_max_age is configured according to your needs.
Loki will not accept older logs in a log stream if there are new logs already present (log stream is defined as logs with the same set of labels). So if you set Alloy to not tail from end, Loki will accept all the logs up to reject_old_samples_max_age assuming you don’t already have logs in the same log stream.

bkerwin · May 29, 2025, 9:10pm

So if I had older timestamps (several hours old) in a completely new logfile name it did take them in and parse timestamp correct, but if they were 2 days old it did not. Is there a limit to how far back loki will ingest logs based on timestamp?

bkerwin · May 29, 2025, 9:12pm

ahhh, ok, thank you @tonyswumac for that max age setting. I will play with that.

bkerwin · May 30, 2025, 9:38pm

one more update for anyone else following along. I fixed the timezone my browser was showing by adding the location in my alloy config for the stage.timestamp. using the actual timezone that the logs are created in.

stage.timestamp {
source = “timestamp”
format = “RFC3339”
fallback_formats = [“2006-01-02 15:04:05.000”,“2006-01-02 15:04:05,000”]
location = “America/Los_Angeles”
}

Topic		Replies	Views
Stage.timestamp with Alloy Grafana Alloy loki	11	992	March 19, 2025
How do you use a label as a string in a loki.process block? Attempting timestamp formatting Grafana Alloy loki	1	47	February 28, 2025
Question about time extraction Grafana Alloy time-selection	7	191	February 27, 2025
Alloy – loki.process stage.timestamp not rewriting the timestamp Grafana Alloy	3	454	January 14, 2025
Timestamp hh:mm:ss Grafana Loki	16	3094	September 21, 2022

Loki.process will not rewrite timestamp

Related topics