Hello,
For unstructured logs (from Microsoft IIS) should I (still) have a regex pipeline stage in the Promtail config, or should I just count on the newer [pattern parser](New in Loki 2.3: LogQL pattern parser makes it easier to extract data from unstructured logs | Grafana Labs) in Loki 2.3? I’m not clear on where pattern parser should replace the promtail regex pipleline or not. Please point me in the right direction.
Thanks,
Dan
For this working promtail config:
server:
#http_listen_port: 0
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: C:\promtail\positions.yaml
clients:
- url: http://grafana.-----.com:3100/loki/api/v1/push
scrape_configs:
- job_name: iis
static_configs:
# In order to monitor site logs insert another
# static_config like the sample below
- targets:
- localhost
labels:
job: iis
#instance: <your-instance-name>
#site: <your-site1-name>
__path__: C:/inetpub/logs/LogFiles/W3SVC6/*.log
pipeline_stages:
- match:
# Drop lines that are comments (start with #)
selector: '{job="iis"} |~ "^#"'
action: drop
drop_counter_reason: iis_comment_line
- match:
selector: '{job="iis"}'
stages:
- regex:
expression: '(?P<timestamp>[[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (?P<server_ip>\S+) (?P<method>\S+?) (?P<cs_uri_stem>\S+?) (?P<cs_uri_query>\S+?) (?P<s_port>\S+?) (?P<cs_username>\S+?) (?P<c_ip>\S+?) (?P<cs_User_Agent>\S+?) (?P<cs_referer>\S+?) (?P<cs_host>\S+?) (?P<sc_status>\S+?) (?P<sc_substatus>\S+?) (?P<sc_win32_status>\S+?) (?P<sc_bytes>\S+?) (?P<cs_bytes>\S+?) (?P<time_taken>\S+?)'
- timestamp:
source: timestamp
format: "2006-01-02 15:04:05"