On What Bases Does Loki Require Explicit Parsing to Detect Fields?

Hello, I have tried using Fluentd, Promtail and Opentelemtry Lokiexporter to push logs to Loki, both Fluentd and Opentelemtry require adding | json or | logfmt to the query to show Fields other than the Labels, while Promtail parse Fields without the need of adding | json.

I tried changing the Opentelemtry Lokiexporter log format to logfmt or raw but it didn’t help, I need to parse it using | logfmt.

This is how Fluentd and Opentelemtry show logs without adding a parser in the query

This is how Promtail shows logs without adding a parser in the query

Update: I updated the screenshots added more demonstration and I’m using default setup for Promtail, for Opentelemtry and Fluentd I tried most of the options

In general I prefer to parse log lines on Loki and keep the log pipeline as simple as possible. Here is good reference: Label best practices | Grafana Loki documentation.

Consider the following logline:

{"level": "info", "ts": "12345", "msg": "Finished reconciling."}

And let’s say this log comes from:

AWS account: 1234567890
EC2 instance ID: i-ec2id13579

If you use the default promtail configuration, the logline gets sent into Loki as is. But you probably already recognize that it would be useful to have the account ID and instance ID as labels of the logline, even though they are not part of the logline. So you might add some static labels to promtail like so:

- labels:
    aws_account_id: 1234567890
    ec2_instance_id: i-ec2id13579

There are occasions when certain part of the logline can be useful as labels. For example, you might want the level to be a label, then you can parse the logline and use part of it as label:

- static_labels:
    aws_account_id: 1234567890
    ec2_instance_id: i-ec2id13579

- json:
    expressions: level

- labels:

This is the part where you get to decide how granular you want to go with this. You can parse the entire logline and make every key into labels (probably not the best idea), or you can send loglines as is and just add identifying information as labels.

Generally speaking I prefer to keep the log pipeline as simple as possible, and think of labels as a way to identify the characteristics of the logline and keep those to a minimum, and if needed parse the logs after they land in Loki.

1 Like