Multi-line single log file processing with promtail

Question

I have a single log file that is continuously being appended to with the following fields enclosed inside the brackets:

I plan to use Promtail to parse this single file in real-time as new records are being appended to it.

Is this possible with Promtail? I'm not sure that it can handle multi-line processing. If that is indeed the case, then what does Promtail expect? A single file with a single record that is constantly overwritten with new info?

Answer 1

It is rather old question but still:

Yes, it is possible. I'm using it in a similar scenario. The service appends a new line (JSON) at the end of the file and then it is being processed by Promtail.

The promtail configuration looks something like this:

scrape_configs:
- job_name: <name>
  pipeline_stages:
  - json:
      expressions:
        thread: thread
        level: level
        message: message
        timestamp: timestamp
        traceID: trace-id
        correlationID: correlation-id
  - labels:
      level:
  - template:
      source: new_key
      template: 'thread={{ .thread }} level={{ .level | ToLower }} correlationID={{ .correlationID }} traceID={{ .traceID }} | {{ .message }}'
  - output:
      source: new_key
  static_configs:
  - targets:
     - localhost
    labels:
      job: <some job name>
      __path__: /log/output.json

the json line (pretified) looks like this:

{"instant": {
"epochSecond": 1613470246,
"nanoOfSecond": 779983000
},
"thread": "thread-name",
"level": "WARN",
"loggerName": "it.issome.logger.class.name",
"message": "Some kind of message",
"endOfBatch": false,
"loggerFqcn": "org.apache.logging.slf4j.Log4jLogger",
"threadId": 31,
"threadPriority": 5,
"correlation-id": "correlation-id",
"trace-id": "d6555df8asdf456a",
"timestamp": "2021-02-16T10:10:46.779+0000"
}

There is not much good material and troubleshooting tips about promtail or I'm poor in seeking it :)