Question about time extraction

Bob · February 25, 2025, 1:59pm

Hi, I am new to Grafana Loki and Alloy, and I am having difficulty extracting the timestamp from the logs.

Here is an example log:

1,2/16/25 13:51,16301012097
1,2/16/25 13:50,16301012112

I have written this regex and tested it in a regex tester, but it does not work in Alloy. It is still showing the log injection time. Can I get some advice? Thanks.

Alloy, version v1.6.1
Grafana v11.5.2

loki.process "add_labels_timestamp" {
  stage.static_labels {
    values = {
      job  = "job1",
      service_name = "service1",
    }
  }

  stage.regex {
    expression ="^(?P<sn>[^ ]+)\\,(?P<timestamp>\\d+\\/\\d+\\/\\d+\\s\\d+\\:\\d+)\\,(?:.*)"
  }

  stage.timestamp {
    source = "timestamp"
    format = "2/16/25 13:50"
  }

  forward_to = [loki.write.grafana_loki.receiver]
}

tonyswumac · February 25, 2025, 4:42pm

When using a custom format you need to reference a specific time (see time package - time - Go Packages).

Try changing your format to 1/02/06 15:04

Bob · February 25, 2025, 10:59pm

Thanks. After changing the config to 1/02/06 15:04, the new log cannot be found in any selected time range. I have tried selecting the entire years 2001, 2002, 2006, 2016, and 2025, but no new log can be found.

Any suggestions for troubleshooting? Thanks a lot.

yosiasz · February 26, 2025, 12:23am

Anything from Loki logs , any errors

Bob · February 26, 2025, 7:15am

Thanks for the hint.

I checked the logs using the command journalctl -f -u loki | grep sample.log and saw an error mentioning ‘has timestamp too old.’ This proves that the regex should be working.

Then, I added reject_old_samples and reject_old_samples_max_age to the Loki config file.

limits_config:
  metric_aggregation_enabled: true
  reject_old_samples: false
  reject_old_samples_max_age: 1y

After restarting Loki and adding a sample log to the sample.log file, I no longer see the ‘timestamp too old’ error, but I still cannot search for the log in Grafana.

Bob · February 26, 2025, 10:39am

Hi all, after further study, I understand that the label is affected by the log timestamp. When a label is mapped to a log with a newer timestamp, that label no longer accepts logs with older timestamps, even if the reject_old_samples setting is enabled.

I attempted to create a new set of Alloy configuration with a new log filename and label, then appending old logs one by one in ascending order of timestamp to the new log file. No ‘timestamp too old’ error appeared because the labels were new. The new filename and label appeared in Grafana Explore quickly, but the logs still could not be found.

After a period of time, with numerous service restarts and trial and error (such as appending new logs with no timestamp), the logs suddenly became searchable in Explore.

old_timestamp

I cannot understand the behavior, and I don’t even know how to reproduce it. Let’s see if someone knows what is happening or can help troubleshoot it together. Thanks a lot.

yosiasz · February 26, 2025, 12:26pm

Look at this thread it might help . Issue was on Loki side

github.com/grafana/alloy

implement use_incoming_timestamp

opened 03:48PM - 20 Feb 25 UTC

yosiasz

enhancement

### Request greetings would really be nice if `use_incoming_timestamp ` could …be implemented with `stage.*` Currently, there seems to either be a bug or something else where in you cannot use timestamp coming from json logs. ``` logging { level = "info" format = "logfmt" } loki.source.file "files" { targets = [ {__path__ = "/tmp/ts_where_are_you.log"}, ] forward_to = [loki.process.process_logs.receiver] } loki.process "process_logs" { stage.json { expressions = { eventMessage = "", messageType = "", ts = "timestamp", } } stage.timestamp { source = "ts" format = "2006-01-02 15:04:05.999999-0700" action_on_failure = "fudge" } stage.template { source = "messageType" template = `{{ Replace .Value "Default" "Notice" -1 | ToLower }}` } stage.labels { values = { level = "messageType", } } stage.output { source = "eventMessage" } forward_to = [loki.write.local_loki.receiver,loki.echo.debug.receiver] } loki.echo "debug" { } loki.write "local_loki" { endpoint { url = "http://loki:3100/loki/api/v1/push" } } ``` ``` {"eventMessage":"This is my log message","messageType":"Default","timestamp":"2025-0-18 06:54:49.663652-0600"} {"eventMessage":"This is my 2nd log message","messageType":"Notice","timestamp":"2025-02-19 06:55:49.663652-0600"} {"eventMessage":"This is my 3rd message","messageType":"Default","timestamp":"2025-0-19 01:54:49.663652-0600"} {"eventMessage":"This is my 4th log message","messageType":"Notice","timestamp":"2025-02-18 22:00:49.663652-0600"} ``` Thanks! ### Use case because I am not able to capture timestamp from log itself. Gracias

Bob · February 27, 2025, 2:47am

Thanks, everyone. I have tried the whole process again, and it seems that I have found the reason.

Overall, the settings are correct. The issue is caused by server performance and the sequence of timestamps in the logs.

It is better to first sort the logs by timestamp in ascending order, and then find a machine with better performance for testing.

Topic		Replies	Views
Stage.timestamp with Alloy Grafana Alloy loki	8	153	February 25, 2025
Alloy log processing Grafana Alloy	4	447	August 21, 2024
Timestamp not recognized in old logs / regex Grafana Loki loki , regex , timestamp	3	1499	April 25, 2024
How do you use a label as a string in a loki.process block? Attempting timestamp formatting Grafana Alloy loki	1	17	February 28, 2025
Alloy – loki.process stage.timestamp not rewriting the timestamp Grafana Alloy	3	154	January 14, 2025

Question about time extraction

Related topics