Promtail parse timestamp RFC3164

Hey,

while working with some syslog files I struggle pasing timestamps with Promtail with RFC3164 (example: “Jul 8 08:16:12”). I have already writen the captured string into a label, to make sure there isn’t an issue with my regex.
Could someone please provide me the necessary string for the timeformat?

In case it matters, I’m trying to parse our syslog messages and would like to make sure that the timestamp from the log gets used, not the timestamp the data gets parsed by promtail. Right now I work only on a static file with my test setup, so I can’t really work with the data if all have the same timestamp. Besides that, I would like to ensure, that I can also parse logs that where written but haven’t been submitted for whatever reason.

Happy weekend everyone.

I may have written a little to much prosa, so I’ll try to focus a little more:

Input:
Jul 8 08:16:12

Expected Output:
2021-07-08T08:16:12.000Z as internal ts field

Problem:
the following part doesn’t work for me (syslog-ts is the name for the regex capture)
- timestamp:
source: syslog-ts
format: “Jul 8 08:16:12”

Any ideas for solving this problem?

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.