Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send output_fields to Loki #1090

Open
Zalaxx opened this issue Jan 17, 2025 · 6 comments
Open

Send output_fields to Loki #1090

Zalaxx opened this issue Jan 17, 2025 · 6 comments
Labels
kind/feature New feature or request
Milestone
2.x

Comments

@Zalaxx
Copy link

Zalaxx commented Jan 17, 2025

Motivation
Currently, when using Loki to store events from falco sidekick, only the output string is sent (source code). It cause issue to properly parse the event, and is missing informations. Other destinations seems to support sending output_fields.

Feature
Add the ability to send output_fields instead of output to Loki, either by default or with an aditionnal configuration like send_json_output or something.

Alternatives
Improve the formatting of the logfmt output string, by quoting values containing a space.

Additional context
I would be happy to provide a pull request, I just need some guidance on how to integrate the change (retro-compatibility, configuration, defaults...)
@Zalaxx Zalaxx added the kind/feature New feature or request label Jan 17, 2025
@Issif
Copy link
Member

Issif commented Jan 17, 2025
edited
Loading

Hi,

The output fields are not used as labels for the Loki log lines in purpose, it's to avoid to explode the cardinality as they might be numerous.

However, it's already possible to list the output fields you would like to have:

Setting Env var Default value Description
loki.extralabels LOKI_EXTRALABELS comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields

For example:

loki:
  extralabels: "container.name, container.id"

Does it fit with your needs?

@Issif Issif added this to the 2.x milestone Jan 17, 2025
@Zalaxx
Copy link
Author

Zalaxx commented Jan 17, 2025

Thank you for the quick answer,
What I want to do is not to modify the labels, but the content of the log entry sent to loki (the Values field in the source code).
The logs are not indexed as a separate stream (only labels are) but can still be parsed and extracted for further processing and filtering. So if the log was in JSON, we could just pop a | json after the stream selector and use the fields we want (doc).

@Issif
Copy link
Member

Issif commented Jan 17, 2025

Ok I see now what you meant. It's pretty easy add a new config option:

loki:
  format: text # format for the log entry: text, json (default: text)

@Issif Issif mentioned this issue Jan 17, 2025
Open
@Issif
Copy link
Member

Issif commented Jan 17, 2025

By checking for your PR, I noticed some improvements to do for the Loki output, I included your request in the same PR: #1091

@Zalaxx
Copy link
Author

Zalaxx commented Jan 17, 2025

That was fast, thank you very much! <3

@Issif
Copy link
Member

Issif commented Jan 17, 2025

I can't give you any ETA for the release. If it's urgent, you can still use the master branch like this (with an Helm deployment):

falcosidekick:
  image:
    tag: master
  config:
    extraEnv:
      - LOKI_FORMAT: json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
Falcosidekick 2.x
Status: To do
Milestone
2.x
Development

No branches or pull requests
2 participants
@Issif @Zalaxx