I send my iis logs to loki using alloy, then I want to create some dashboards on grafana.
{host="foo.bar.com"} | pattern `<date> <time> <svcname> <_> <sip> <_> <_> <_> <_> <_> <_> <_> <_> <_> <_> <_> <_> <_> <request_bytes> <response_bytes> <duration>`
here, after the duration field at the end of the line is parse, there is a \r character at the end that does not appear on the screen.
so, if I want to do a numeric filtering according to this duration field after parse, I get the following error
strconv.ParseFloat: parsing “9\r”: invalid syntax
where and how do you think I can control this situation?
Probably best to try and get rid of it before sending logs to Loki (should be able to do this with any log agent). Once logs are in Loki they cannot be altered anymore.
actually I know that the correct solution is to transform the logs while collecting them with alloy. but I don’t think this \r character came from the original log.
Nevertheless, to eliminate such a possibility, I use a grouping expression like the following
stage.regex {
expression = `^(?P<date>[^ ]*) (?P<time>[^ ]*) (?P<site>[^ ]*) (?P<computer>[^ ]*) (?P<serverip>[^ ]*) (?P<method>[^ ]*) (?P<path>[^ ]*) (?P<query>[^ ]*) (?P<port>[^ ]*) (?P<username>[^ ]*) (?P<ip>[^ ]*) (?P<version>[^ ]*) (?P<agent>[^ ]*) (?P<referer>[^ ]*) (?P<host>[^ ]*) (?P<status>[^ ]*) (?P<substatus>[^ ]*) (?P<win32_status>[^ ]*) (?P<request_bytes>[^ ]*) (?P<response_bytes>[^ ]*) (?P<duration>\d+)\r?$`
}
but this selection does not select the trailing \r character in the original log. I don’t know how to do it, to be honest.
i guess this is works
stage.replace {
expression = "(\\r+)"
replace = ""
}
1 Like
