Regex stage not parsing Podman container logs from journald

Grafana Alloy
1

Hi Alloy/Loki community,

I’m trying to parse Python logs coming from Podman containers using a loki.process regex stage. Logs written directly to journald from Podman do not get parsed, but if I send the same log manually to journald (e.g., via logger), it parses correctly.

Here’s my alloy config:

// Modify journal source to collect all entries
loki.source.journal “logs_integrations_integrations_node_exporter_journal_scrape” {
max_age = “24h0m0s”
// No matches - collect everything including Podman
relabel_rules = discovery.relabel.logs_integrations_integrations_node_exporter_journal_scrape.rules
format_as_json = false
forward_to = [loki.process.extract_logger.receiver]
}

// Process logs with regex
loki.process “extract_logger” {
stage.regex {
expression = “^(?P\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})\s*-\s*(?P[A-Z]+)\s*-\s*(?P.*)$”
labels_from_groups = true
}
forward_to = [loki.write.local.receiver]
}

Example 1: Logline from a Podman container (does not parse)

[IN]: timestamp: 2025-10-10T17:56:25.156489Z, entry: 2025-10-10 17:56:25 - INFO - INFO log → stdout, labels: {boot_id=“42cbaacf9b6c4639ba8d06d553356c08”, job=“loki.source.journal.logs_integrations_integrations_node_exporter_journal_scrape”, level=“info”, syslog_identifier=“heartbeat-server”, transport=“journal”, unit=“libpod-conmon-b5f8c61043c2fc593ae6a03a3a5782e48d6ff15d912bead58dca7da88bd6136e.scope”, container_id=“b5f8c61043c2”, container_name=“heartbeat-server”}, structured_metadata: {}
[OUT]: same as IN (regex not applied)

Example 2: Log sent manually to journald (parses correctly)

[IN]: timestamp: 2025-10-10T17:57:00.952306Z, entry: 2025-10-10 17:27:01 - INFO - INFO log → stdout, labels: {boot_id=“42cbaacf9b6c4639ba8d06d553356c08”, job=“loki.source.journal.logs_integrations_integrations_node_exporter_journal_scrape”, level=“notice”, syslog_identifier=“heartbeat-server”, transport=“syslog”}, structured_metadata: {}
[OUT]: timestamp=“2025-10-10 17:27:01”, loglevel=“INFO”, message=“INFO log → stdout”, plus other labels

Question:

Why does the regex not apply to logs coming from Podman containers via journald, but works for logs sent manually to journald (transport:syslog)? Do I need to extract the MESSAGE field first or configure the journal source differently?

Any guidance on how to reliably parse Python logs from Podman containers in Alloy/Loki would be appreciated.