Hi - I’m struggling creating a custom label in my config.alloy, my rsyslog process on this node is collecting information from other devices and I’d like to create a custom label to dilleneate by label in grafana where the data is coming from.
Here’s an example that’s presently showing as unknown:
2025-07-24T10:58:56.499773-05:00 omada.montysplace.local 2025-07-24 10:57:34 Home Omada Controller-Home - - - DHCP Server allocated IP address ...
I’d like to take the second field in syslog via regex to assign the label as ‘syslog_host’ so I can parse it appropriately in grafana. I’m strugging with the config.alloy - would anyone be able to help me accomplish this?
// /////////////
// JOURNAL
// /////////////
// Collect logs from systemd journal for node_exporter integration
loki.source.journal "logs_integrations_integrations_node_exporter_journal_scrape" {
// Only collect logs from the last 24 hours
max_age = "24h0m0s"
// Apply relabeling rules to the logs
relabel_rules = discovery.relabel.logs_integrations_integrations_node_exporter_journal_scrape.rules
// Send logs to the local Loki instance
forward_to = [loki.write.local.receiver]
}
// Define relabeling rules for systemd journal logs
discovery.relabel "logs_integrations_integrations_node_exporter_journal_scrape" {
targets = []
rule {
// Extract systemd unit information into a label
source_labels = ["__journal__systemd_unit"]
target_label = "unit"
}
rule {
// Extract boot ID information into a label
source_labels = ["__journal__boot_id"]
target_label = "boot_id"
}
rule {
// Extract transport information into a label
source_labels = ["__journal__transport"]
target_label = "transport"
}
rule {
// Extract log priority into a level label
source_labels = ["__journal_priority_keyword"]
target_label = "level"
}
}
// /////////////
// LOGS
// /////////////
// Define which log files to collect for node_exporter
local.file_match "logs_integrations_integrations_node_exporter_direct_scrape" {
path_targets = [{
// Target localhost for log collection
__address__ = "localhost",
// Collect standard system logs
//__path__ = "/var/log/{syslog,messages,*.log}",
__path__ = "/var/log/syslog",
// Add instance label with hostname
instance = constants.hostname,
// Add job label for logs
job = "integrations/node_exporter",
}]
}
// Configure a loki.process component to parse the logs
loki.process "syslog_parser" {
forward_to = [loki.write.default.receiver] // Replace default with your actual loki.write instance
stage {
// Use a regex stage to capture the second field
// This regex looks for:
// ^\S+ - one or more non-whitespace characters at the beginning (first field)
// \s+ - one or more whitespace characters
// (\S+) - captures one or more non-whitespace characters (the second field)
// .* - matches the rest of the line
regex {
expression = "^\\S+\\s+(\\S+).*"
// The captured group (the second field) will be available as 'captured_value'
}
}
stage {
// Use a labels stage to assign the captured value to syslog_host
labels {
syslog_host = "$1" // $1 refers to the first captured group from the regex
}
}
source = logs_integrations_integrations_node_exporter_direct_scrape
}
// Collect logs from files for node_exporter
loki.source.file "loki.process.syslog_parser" {
// Use targets defined in local.file_match
targets = local.file_match.logs_integrations_integrations_node_exporter_direct_scrape.targets
// Send logs to the local Loki instance
forward_to = [loki.write.local.receiver]
}
// /////////////
// OUT TO LOKI
// /////////////
// Define where to send logs for storage
loki.write "local" {
endpoint {
// Send logs to a locally running Loki instance
url ="http://syslog.montysplace.local:3100/loki/api/v1/push"
}
}