Description: I’m trying to relabel the component name in my Promtail configuration based on a log keyword using regex. However, the logs in Grafana Loki are still showing the original component name (“ASA”) instead of the expected “Firewall”.
Promtail Version: promtail-linux-amd64 version 2.7.0 (branch: HEAD, revision: 1a2b3c4d)
Sample Log:
%ASA-2-106001: Inbound TCP connection denied from 11.111.11.111/52309 to 14.143.144.15/80 flags SYN on interface outside
Promtail Configuration:
server:
http_listen_port: 9080
log_format: logfmt
grpc_listen_port: 0
positions:
filename: /home/pc-tools-robotic/positions.yaml
clients:
- url: https://telemetry.pc.net/loki/api/v1/push
tenant_id: rad
external_labels:
region: westeurope
product_id: rad
provider: azure
env: prod
app: pc-syslogs-collector
node_name: app01
oauth2:
client_id: ***
client_secret: ***
token_url: Sign in to your account
scrape_configs:
- job_name: syslog
syslog:
listen_address: 0.0.0.0:1514
idle_timeout: 1h
label_structured_data: false
use_incoming_timestamp: true
labels:
component: “syslog-collector”
pipeline_stages:- regex:
expression: 'msg (?P\d+): <187>(?P\d+): (?P\S+) (\w{3} \d{2} \d{2}:\d{2}:\d{2}): (?P.*)'relabel_configs: - source_labels: [__syslog_message_hostname]
target_label: instance - source_labels: [component]
target_label: component
regex: ‘ASA’
replacement: ‘Firewall’
- regex: