Search code examples
vectorsystemd-journald

How to filter Journald PRIORITY in Vector?

I'm trying to limit the journald logs my vector config picks up but it appears not to work. There are no error messages. Vector is sending all logs to loki. The vector version is 0.22.2.

Here is my vector.toml file:

[sources.host_journald_source]
type = "journald"
current_boot_only = true

[transforms.host_journald_filter]
type = "filter"
inputs = ["host_journald_source"]
condition = '''
    includes(["0", "1", "2", "3", "4"], .PRIORITY)
'''

Here is an example of a log I want to exclude in my grafana loki datasource explorer:

Log labels
boot_id 7d16b8f4fc2a4366b9e705f52b75979e
cmdline /sbin/init
host    myhost-test
message run-docker-runtime\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount: Deactivated successfully.
Detected fields
CODE_FILE   "src/core/unit.c"
CODE_FUNC   "unit_log_success"
CODE_LINE   "5553"
INVOCATION_ID   "e5b739ebc26a4897bd1288844a875d10"
MESSAGE_ID  "7ad2d189f7e94e70a38c781354912448"
PRIORITY    "6"
SYSLOG_FACILITY "3"
SYSLOG_IDENTIFIER   "systemd"
TID "1"
Time    1655917978170
UNIT    "run-docker-runtime\\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount"
_BOOT_ID    "7d16b8f4fc2a4366b9e705f52b75979e"
_CAP_EFFECTIVE  "1ffffffffff"
_CMDLINE    "/sbin/init"
_COMM   "systemd"
_EXE    "/usr/lib/systemd/systemd"
_GID    "0"
_MACHINE_ID "fff69d4a6e8643678404cfa6b346143b"
_PID    "1"
_SELINUX_CONTEXT    "unconfined\n"
_SOURCE_REALTIME_TIMESTAMP  "1655917978170117"
_SYSTEMD_CGROUP "/init.scope"
_SYSTEMD_SLICE  "-.slice"
_SYSTEMD_UNIT   "init.scope"
_TRANSPORT  "journal"
_UID    "0"
__MONOTONIC_TIMESTAMP   "35722646432"
__REALTIME_TIMESTAMP    "1655917978172193"
host    "myhost-test"
labels  [object Object]
message "run-docker-runtime\\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount: Deactivated successfully."
source_type "journald"
tsNs    1655917978170117000
Solution

  • My vector.toml file now looks like this:

    [sources.host_journald_source]
type = "journald"
current_boot_only = true
since_now = true
include_units = [ "systemd" ]
include_matches.PRIORITY = [ "0", "1", "2", "3", "4" ]

[sinks.loki]
type = "loki"
inputs = [ "host_journald_source" ]
endpoint = "http://localhost:3100"
compression = "none"
request.concurrency = "adaptive"
out_of_order_action = "accept"

[sinks.loki.labels]
boot_id = '{{ "_BOOT_ID" }}'
message = "{{ message }}"
cmdline = '{{ "_CMDLINE" }}'
host = "{{ host }}"
user_unit = '{{ "USER_UNIT" }}'

[sinks.loki.encoding]
codec = "json"