Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Open source

loki.source.journal

loki.source.journal reads from the systemd journal and forwards them to other loki.* components.

Multiple loki.source.journal components can be specified by giving them different labels.

Usage

river
loki.source.journal "LABEL" {
  forward_to    = RECEIVER_LIST
}

Arguments

The component starts a new journal reader and fans out log entries to the list of receivers passed in forward_to.

loki.source.journal supports the following arguments:

NameTypeDescriptionDefaultRequired
format_as_jsonboolWhen true, log messages from the journal are passed through the pipeline as a JSON message with all of the journal entries’ original fields. When false, the log message is the text content of the MESSAGE field from the journal entry.falseno
max_agedurationThe oldest relative time from process start that will be read"7h"no
pathstringPath to a directory to read entries from. Defaults to system paths (/var/log/journal and /run/log/journal) when empty.""no
matchesstringJournal matches to filter. Character (+) is not supported, only logical AND matches will be added.""no
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes

NOTE: A job label is added with the full name of the component loki.source.journal.LABEL.

Blocks

The following blocks are supported inside the definition of loki.source.journal:

HierarchyNameDescriptionRequired
relabel_rulesrelabel_rulesRelabeling rules to apply to received log entries.no

relabel_rules block

The rule block contains the definition of any relabeling rules that can be applied to an input metric. If more than one rule block is defined, the transformations are applied in top-down order.

The following arguments can be used to configure a rule. All arguments are optional. Omitted fields take their default values.

NameTypeDescriptionDefaultRequired
source_labelslist(string)The list of labels whose values are to be selected. Their content is concatenated using the separator and matched against regex.no
separatorstringThe separator used to concatenate the values present in source_labels.;no
regexstringA valid RE2 expression with support for parenthesized capture groups. Used to match the extracted value from the combination of the source_label and separator fields or filter labels during the labelkeep/labeldrop/labelmap actions.(.*)no
modulusuintA positive integer used to calculate the modulus of the hashed source label values.no
target_labelstringLabel to which the resulting value will be written to.no
replacementstringThe value against which a regex replace is performed, if the regex matches the extracted value. Supports previously captured groups.$1no
actionstringThe relabeling action to perform.replaceno

Here’s a list of the available actions, along with a brief description of their usage.

  • replace - Matches regex to the concatenated labels. If there’s a match, it replaces the content of the target_label using the contents of the replacement field.
  • keep - Keeps metrics where regex matches the string extracted using the source_labels and separator.
  • drop - Drops metrics where regex matches the string extracted using the source_labels and separator.
  • hashmod - Hashes the concatenated labels, calculates its modulo modulus and writes the result to the target_label.
  • labelmap - Matches regex against all label names. Any labels that match are renamed according to the contents of the replacement field.
  • labeldrop - Matches regex against all label names. Any labels that match are removed from the metric’s label set.
  • labelkeep - Matches regex against all label names. Any labels that don’t match are removed from the metric’s label set.

Finally, note that the regex capture groups can be referred to using either the $CAPTURE_GROUP_NUMBER or ${CAPTURE_GROUP_NUMBER} notation.

Incoming messages have labels from the journal following the patten __journal_FIELDNAME

These labels are stripped unless a rule is created to retain the labels. An example rule is below.

river
rule {
		action      = "labelmap"
		regex       = "__journal_(.*)"
		replacement = "journal_${1}"
	}

Component health

loki.source.journal is only reported as unhealthy if given an invalid configuration.

Debug Metrics

  • agent_loki_source_journal_target_parsing_errors_total (counter): Total number of parsing errors while reading journal messages.
  • agent_loki_source_journal_target_lines_total (counter): Total number of successful journal lines read.

Example

river
loki.source.journal "read"  {
    forward_to = [loki.write.endpoint.receiver]
}

loki.write "endpoint" {
    endpoint {
        url ="loki:3100/api/v1/push"
    }  
}