在 Loki 中删除日志的一部分
我已经使用 grafana/loki-stack。
我还使用 Nginx helm 图表设置了 Nginx。
Promtail 正在将日志很好地摄取到 Loki 中,但我想自定义日志的外观。具体来说,我想删除日志的一部分,因为它在尝试使用 logfmt 或 json 解析日志时会产生错误(Error: LogfmtParserErr 和分别是错误:JsonParserErr)。
日志如下所示:
2022-02-21T13:41:53.155640208Z stdout F timestamp=2022-02-21T13:41:53+00:00 http_request_method=POST http_response_status_code=200 http_response_time=0.001 http_version=HTTP/2.0 http_request_body_bytes=0 http_request_bytes=63
我想删除其中显示 stdout F 的部分,因此日志将如下所示:
2022-02-21T13:41:53.155640208Z timestamp=2022-02-21T13:41:53+00:00 http_request_method=POST http_response_status_code=200 http_response_time=0.001 http_version=HTTP/2.0 http_request_body_bytes=0 http_request_bytes=63
我发现在摄取方面,它可能是 Promtail 的内容,但是是否也可以在 Loki 中进行 LogQL 查询来替换该字符串?如何设置 Promtail 配置来实现所需的行为?
I have installed Grafana, Loki, Promtail and Prometheus with the grafana/loki-stack.
I also have Nginx set up with the Nginx helm chart.
Promtail is ingesting logs fine into Loki, but I want to customise the way my logs look. Specifically I want to remove a part of the log because it creates errors when trying to parse it with either logfmt or json (Error: LogfmtParserErr and Error: JsonParserErr respectively).
The logs look like this:
2022-02-21T13:41:53.155640208Z stdout F timestamp=2022-02-21T13:41:53+00:00 http_request_method=POST http_response_status_code=200 http_response_time=0.001 http_version=HTTP/2.0 http_request_body_bytes=0 http_request_bytes=63
and I want to remove the part where it says stdout F so the log will look like this:
2022-02-21T13:41:53.155640208Z timestamp=2022-02-21T13:41:53+00:00 http_request_method=POST http_response_status_code=200 http_response_time=0.001 http_version=HTTP/2.0 http_request_body_bytes=0 http_request_bytes=63
I have figured out that on the ingestion side it could be something with Promtail, but ist it also possible to make a LogQL query in Loki to just replace that string? And how would one set up the Promtail configuration for the wanted behaviour?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
根据文档,更好的方法是启用 cri 管道阶段而不是 docker 阶段。假设您正在从最近使用 CRI 的 kubernetes 安装中获取日志。
https://grafana.com/docs/loki/latest/clients/ promtail/配置/#cri
According to the docs a better approach is to enable the cri pipeline stage instead of the docker one. Assuming that you are ingesting logs from a recent kubernetes installation that uses CRI.
https://grafana.com/docs/loki/latest/clients/promtail/configuration/#cri
Promtail 应配置为将字符串替换为
replace< /代码>阶段。以下是一个示例配置,它删除了来自命名空间 ingress 的所有日志的日志的
stdout F部分。具体来说,此示例适用于
grafana/loki-stack图表。Promtail should be configured to replace the string with the
replacestage.Here is a sample config that removes the
stdout Fpart of the log for all logs coming from the namespace ingress.Specifically this example works for the
grafana/loki-stackchart.尝试以下 Loki 查询:
它使用 模式管道 来提取时间戳并从日志行记录消息。然后它使用 line_format 管道 格式化提取的内容时间戳和消息写入日志行。
PS 此查询在 LogsQL 中看起来更简单 - 我所处理的日志的替代查询语言:
请参阅
替换管道。Try the following Loki query:
It uses pattern pipe for extracting timestamp and log message from log line. Then it uses line_format pipe for formatting the extracted timestamp and message into log line.
P.S. This query looks simpler in LogsQL - an alternative query language for logs I work on:
See
replacepipe.