I'm trying to limit the journald logs my vector config picks up but it appears not to work. There are no error messages. Vector is sending all logs to loki. The vector version is 0.22.2.
Here is my vector.toml file:
[sources.host_journald_source]
type = "journald"
current_boot_only = true
[transforms.host_journald_filter]
type = "filter"
inputs = ["host_journald_source"]
condition = '''
includes(["0", "1", "2", "3", "4"], .PRIORITY)
'''
Here is an example of a log I want to exclude in my grafana loki datasource explorer:
Log labels
boot_id 7d16b8f4fc2a4366b9e705f52b75979e
cmdline /sbin/init
host myhost-test
message run-docker-runtime\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount: Deactivated successfully.
Detected fields
CODE_FILE "src/core/unit.c"
CODE_FUNC "unit_log_success"
CODE_LINE "5553"
INVOCATION_ID "e5b739ebc26a4897bd1288844a875d10"
MESSAGE_ID "7ad2d189f7e94e70a38c781354912448"
PRIORITY "6"
SYSLOG_FACILITY "3"
SYSLOG_IDENTIFIER "systemd"
TID "1"
Time 1655917978170
UNIT "run-docker-runtime\\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount"
_BOOT_ID "7d16b8f4fc2a4366b9e705f52b75979e"
_CAP_EFFECTIVE "1ffffffffff"
_CMDLINE "/sbin/init"
_COMM "systemd"
_EXE "/usr/lib/systemd/systemd"
_GID "0"
_MACHINE_ID "fff69d4a6e8643678404cfa6b346143b"
_PID "1"
_SELINUX_CONTEXT "unconfined\n"
_SOURCE_REALTIME_TIMESTAMP "1655917978170117"
_SYSTEMD_CGROUP "/init.scope"
_SYSTEMD_SLICE "-.slice"
_SYSTEMD_UNIT "init.scope"
_TRANSPORT "journal"
_UID "0"
__MONOTONIC_TIMESTAMP "35722646432"
__REALTIME_TIMESTAMP "1655917978172193"
host "myhost-test"
labels [object Object]
message "run-docker-runtime\\x2drunc-moby-3995a89e568b3d38fd01a158b8bfd5e02e27b05c60c128aed8a71ed121b44c07-runc.t7aKhj.mount: Deactivated successfully."
source_type "journald"
tsNs 1655917978170117000
My vector.toml
file now looks like this:
[sources.host_journald_source]
type = "journald"
current_boot_only = true
since_now = true
include_units = [ "systemd" ]
include_matches.PRIORITY = [ "0", "1", "2", "3", "4" ]
[sinks.loki]
type = "loki"
inputs = [ "host_journald_source" ]
endpoint = "http://localhost:3100"
compression = "none"
request.concurrency = "adaptive"
out_of_order_action = "accept"
[sinks.loki.labels]
boot_id = '{{ "_BOOT_ID" }}'
message = "{{ message }}"
cmdline = '{{ "_CMDLINE" }}'
host = "{{ host }}"
user_unit = '{{ "USER_UNIT" }}'
[sinks.loki.encoding]
codec = "json"