From e06361f40d26d150c22955eacc104d8e308cc238 Mon Sep 17 00:00:00 2001 From: WesselAtWork <115667066+WesselAtWork@users.noreply.github.com> Date: Wed, 7 May 2025 12:20:33 +0200 Subject: [PATCH 1/2] fix(NodeLogs): fix labelmap regex --- .../charts/feature-node-logs/templates/_module.alloy.tpl | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl b/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl index d92a5ec229..b5f3ed32e2 100644 --- a/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl +++ b/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl @@ -36,7 +36,7 @@ declare "node_logs" { // More Info: https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html rule { action = "labelmap" - regex = "__journal__(.+)" + regex = "__journal__?(.+)" } rule { @@ -54,9 +54,10 @@ declare "node_logs" { replacement = "$1" target_label = "service_name" } - {{- if .Values.extraDiscoveryRules }} - {{ .Values.extraDiscoveryRules | indent 2 }} - {{- end }} + + {{- if .Values.extraDiscoveryRules }} + {{ .Values.extraDiscoveryRules | indent 4 }} + {{- end }} forward_to = [] // No forward_to is used in this component, the defined rules are used in the loki.source.journal component } From 45ce44f40cb20c17092c2742ab17e2c2ae1bf476 Mon Sep 17 00:00:00 2001 From: WesselAtWork <115667066+WesselAtWork@users.noreply.github.com> Date: Wed, 7 May 2025 15:18:56 +0200 Subject: [PATCH 2/2] Add label overides --- .../templates/_module.alloy.tpl | 50 +++++++++++++++++-- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl b/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl index b5f3ed32e2..131bf91ab9 100644 --- a/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl +++ b/charts/k8s-monitoring/charts/feature-node-logs/templates/_module.alloy.tpl @@ -26,6 +26,7 @@ declare "node_logs" { // - machine_id // - pid // - stream_id + // - syslog_identifier // - systemd_cgroup // - systemd_invocation_id // - systemd_slice @@ -39,18 +40,59 @@ declare "node_logs" { regex = "__journal__?(.+)" } + // preserves original value of `__journal_unit` and `__journal_user_unit` becuase we will overide `unit` and `user_unit` rule { action = "replace" - source_labels = ["__journal__systemd_unit"] + source_labels = ["__journal_unit"] + target_label = "journal_unit" + } + + rule { + action = "replace" + source_labels = ["__journal_user_unit"] + target_label = "journal_user_unit" + } + + // fills the labels `unit` and `user_unit` + rule { + action = "replace" + source_labels = [ + "__journal_unit", + "__journal__systemd_unit", + ] + separator = ";" + regex = "^;*([^;]+).*$" replacement = "$1" target_label = "unit" } - // the service_name label will be set automatically in loki if not set, and the unit label - // will not allow service_name to be set automatically. rule { action = "replace" - source_labels = ["__journal__systemd_unit"] + source_labels = [ + "__journal_user_unit", + "__journal__systemd_user_unit", + ] + separator = ";" + regex = "^;*([^;]+).*$" + replacement = "$1" + target_label = "user_unit" + } + + // the `service_name` label will be set automatically in loki + // we set it here, which means `service_name` WILL NOT be set automatically by loki. + // we try every useful identifier until we hit something + // `_systemd_unit` should always be set, but we have `syslog_identifier` as a hail-mary + rule { + action = "replace" + source_labels = [ + "__journal_unit", + "__journal_user_unit", + "__journal__systemd_unit", + "__journal__systemd_user_unit", + "__journal_syslog_identifier", + ] + separator = ";" + regex = "^;*([^;]+).*$" replacement = "$1" target_label = "service_name" }