Stage.timestamp with Alloy

Grafana Alloy
1

Hey! I’ve been trying to parse my logs and assign the log timestamp to the Grafana timestamp. Right now, the timestamp reflects when the log is ingested into Loki, but I want to use the actual timestamp from the log itself. I’ve been working with the following Loki process and log structure, and the message extraction is working fine, but I can’t seem to get the timestamp sync to work.

Logs:

{
  "body": {
    "@timestamp": "2025-01-20T19:25:48.893Z",
    "message": "{\"\"}",
    "message_size": 1089,
    "stream": "stdout",
    "tags": [
      ""
    ]
  }
}

Config:

loki.process "process_logs" {
	
	forward_to = [loki.relabel.filter_labels.receiver]

	stage.static_labels {
		values = {
			job = "consumer_prod__paas_prdpg_apps",
		}
	}

	// Process the massive blob of Json for Elastic and 
   //take the useful metadata from it
	stage.json {
		expressions = {
			extracted_log_message    = "body.message",
			extracted_timestamp      = "'body.@timestamp'",
		}
	}

	stage.label_drop {
		values = ["filename"]
	}

	
		source = "extracted_log_message"
	}

	stage.timestamp {
		source = "extracted_timestamp"
		format = "RFC3339"
		

}
2

Try this:

loki.process "process_logs" {
    forward_to = [loki.relabel.filter_labels.receiver]

    stage.static_labels {
        values = {
            job = "consumer_prod__paas_prdpg_apps",
        }
    }

    // Process the massive blob of Json for Elastic and 
   //take the useful metadata from it
    stage.json {
        expressions = {
            extracted_body    = "body",
        }
    }

    stage.json {
        source      = "extracted_body"
        expressions = {
            extracted_log_message    = "message",
            extracted_timestamp      = "@timestamp",
        }
    }

    stage.label_drop {
        values = ["filename"]
    }

    stage.output {
        source = "extracted_log_message"
    }

    stage.timestamp {
        source = "extracted_timestamp"
        format = "RFC3339"
    }
}
3

Still doesn’t work!
The parsing of the message is working correctly and the output is correct, but I can’t seem to get the timestamp part to work.

4

Tested the config, I think the problem is with the @ symbol. I would recommend you to see if you can remove that from your source log. If not, use a replace block to get rid of it.

This is the config I used to test your log:

Sample log (/tmp/test.log):

{"body": {"@timestamp": "2025-01-20T19:25:48.893Z","message": "{\"this is test log\"}","message_size": 1089,"stream": "stdout","tags": [""]}}

Alloy config:

local.file_match "test" {
  path_targets = [{
    __path__ = "/tmp/test.log",
    job      = "test",
  }]
}

loki.source.file "logs" {
  targets    = local.file_match.test.targets
  forward_to = [loki.process.process_logs.receiver]
}

loki.process "process_logs" {
    forward_to = [loki.echo.test.receiver]

    stage.replace {
      expression = `(\@timestamp)`
      replace    = "timestamp"
    }

    stage.static_labels {
      values = {
        job = "consumer_prod__paas_prdpg_apps",
      }
    }

    stage.json {
      expressions = {
        extracted_body = "body",
      }
    }

    stage.json {
      source      = "extracted_body"
      expressions = {
        extracted_log_message = "message",
        extracted_timestamp   = "timestamp",
      }
    }

    # for testing only
    stage.labels {
      values = {
        extracted_timestamp = "",
      }
    }

    stage.label_drop {
      values = ["filename"]
    }

    stage.output {
      source = "extracted_log_message"
    }

    stage.timestamp {
      source = "extracted_timestamp"
      format = "RFC3339"
    }
}

loki.echo "test" { }

Alloy echo output:

level=info component_path=/ component_id=loki.echo.test receiver=loki.echo.test entry="{\"this is test log\"}" labels="{extracted_timestamp=\"2025-01-20T19:25:48.893Z\", job=\"consumer_prod__paas_prdpg_apps\"}"
5

It worked! Thank you for your help!!