Promtail Negative Lookahead Problem

Grafana Loki
,
1

Hello,

I want to filter my logs before sending them to Loki with Promtail. Actually, my goal is to send only ERR and INFO logs to Loki. However, even though I write this in the regex section, it sends all the logs. I also tried drops. But I don’t know all the possibilities other than CRIT and WARN, so I don’t know what to drop.

    pipeline_stages:
    - match:
        selector: '{job="testlogs"}'
        stages:

        - regex:
            expression: '^ *(?P<Log_Time>\d{1,2}:\d{1,2}:\d{1,2}) +(?P<Level>(ERR|INFO)) +(?P<Messages>.*)$'
        - drop:
            expression: '^ *(?P<Log_Time>\d{1,2}:\d{1,2}:\d{1,2}) +((CRIT|WARN))(?P<Level>\w+) +(?P<Messages>.*)$'

Actually, if I change the Level part as follows, my expression works on regex validation sites.

+(?!(ERR|INFO))(?P<Level>\w+)

But promtail gives this error:
drop stage regex compilation error: error parsing regexp: invalid or unsupported Perl syntax: (?!"

Does anyone have a solution suggestion?

2

The drop stage drops messages that match the expression. It does not do group capture (which is why you get the error). So if you wanted to use the drop filter, you could do something like this (not tested):

- drop:
    expression: '^.+(CRIT|WARN).*$'

Of course this may not be ideal, because it matches the entire log string, and if you happen to have CRIT or WARN in other parts of the logs they will get dropped as well.

A better way would be to perform regex group capture (which are you are doing), create labels based on those, then use a match filter to drop logs. Something like this (not tested):

- regex:
    expression: '^ *(?P<Log_Time>\d{1,2}:\d{1,2}:\d{1,2}) +(?P<Level>(ERR|INFO)) +(?P<Messages>.*)$'

- labels:
    Level:

- match:
    selector: '{Level!~"^(ERR|INFO)$"}'
    action: drop
    drop_counter_reason: non_essential_log
3

Thank you for the example. I found the solution as follows:

pipeline_stages:
- match:
    selector: '{job="myjob" !~ "^ *(?P<Log_Time>\\d{1,2}:\\d{1,2}:\\d{1,2}) +(?P<Level>(ERR|INFO)) +(?P<Messages>.*)$"}'
    action: drop

What is written in the ‘drop:’ tab are the logs that will be dropped when they comply with the regex expression. However, if it is ‘action: drop’, it will drop the logs that match what I wrote in the ‘selector’ section. I say use the ‘!~’ operator in myjob. Find the ones that are not ERR or INFO and “drop” them as action. Thus, it drops everything it finds, except ERR and INFO, that does not fit this expression.