how to promtail parse json to label and timestamp

Question

I have a probleam to parse a json log with promtail, please, can somebody help me please. I try many configurantions, but don't parse the timestamp or other labels.

log entry:

{timestamp=2019-10-25T15:25:41.041-03, level=WARN, thread=http-nio-0.0.0.0-8080-exec-2, mdc={handler=MediaController, ctxCli=127.0.0.1, ctxId=FdD3FVqBAb0}, logger=br.com.brainyit.cdn.vbox.
controller.MediaController, message=[http://localhost:8080/media/sdf],c[500],t[4],l[null], context=default}

promtail-config.yml

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://localhost:3100/loki/api/v1/push

scrape_configs:
- job_name: vbox-main
  static_configs:
  - targets:
    - localhost
    labels:
      job: vbox
      appender: main
      __path__: /var/log/vbox/main.log        

  pipeline_stages:
  - json:
      expressions:
        timestamp: timestamp
        message: message
        context: context
        level: level
      timestamp:
        source: timestamp
        format: RFC3339Nano
      labels:
        context:
        level:
      output:
        source: message

Answer 1

I've tried the setup of Promtail with Java SpringBoot applications (which generates logs to file in JSON format by Logstash logback encoder) and it works.

The example log line generated by application:

{"timestamp":"2020-06-06T01:00:30.840+02:00","version":1,"message":"Started ApiApplication in 1.431 seconds (JVM running for 6.824)","logger_name":"com.github.pnowy.spring.api.ApiApplication","thread_name":"main","level":"INFO","level_value":20000}

The prometail config:

# Promtail Server Config
server:
  http_listen_port: 9080
  grpc_listen_port: 0

# Positions
positions:
  filename: /tmp/positions.yaml
    
clients:
  - url: http://localhost:3100/loki/api/v1/push

scrape_configs:
- job_name: springboot
  pipeline_stages:
  - json:
      expressions:
        level: level
        message: message
        timestamp: timestamp
        logger_name: logger_name
        stack_trace: stack_trace
        thread_name: thread_name
  - labels:
      level:
  - template:
      source: new_key
      template: 'logger={{ .logger_name }} threadName={{ .thread_name }} | {{ or .message .stack_trace }}'
  - output:
      source: new_key
  static_configs:
  - targets:
      - localhost
    labels:
      job: applogs
      __path__: /Users/przemek/tools/promtail/*.log

Please notice that the output (the log text) is configured first as new_key by Go templating and later set as the output source. The logger={{ .logger_name }} helps to recognise the field as parsed on Loki view (but it's an individual matter of how you want to configure it for your application).

Here you will find quite nice documentation about entire process: https://grafana.com/docs/loki/latest/clients/promtail/pipelines/

The example was run on release v1.5.0 of Loki and Promtail (Update 2020-04-25: I've updated links to current version - 2.2 as old links stopped working).

The section about timestamp is here: https://grafana.com/docs/loki/latest/clients/promtail/stages/timestamp/ with examples - I've tested it and also didn't notice any problem. Hope that help a little bit.

The JSON configuration part: https://grafana.com/docs/loki/latest/clients/promtail/stages/json/

Result on Loki: