custom-log-metrics-from-promtail

Learn how to create custom log metrics from Promtail with PromQL. Configure Promtail, expose metrics, and query them in Prometheus for effective log analysis and alerting.

Promtail Custom Log Metrics

This guide demonstrates how to create and utilize custom log metrics from Promtail, enabling you to extract valuable insights from your logs and expose them for Prometheus to scrape and analyze. By leveraging Promtail's pipeline stages, specifically the `metrics` stage, you can transform log lines into Prometheus-compatible metrics.

Setting Up Promtail for Custom Metrics

First, configure your Promtail agent to process logs and define custom metrics. This involves specifying the log source, labels, and the pipeline stages for metric extraction. Below is an example of a promtail-config.yml file:

$ cat /etc/promtail/promtail-config.yml
server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /var/lib/promtail/positions.yaml

clients:
  - url: https://x:x@loki.domain.com/loki/api/v1/push

scrape_configs:
  - job_name: prod/logs
    static_configs:
    - targets:
        - localhost
      labels:
        job: prod/logs
        service: nginx-test
        logtype: info
        __path__: /var/log/nginx/access.log
    pipeline_stages:
    - match:
        selector: '{job="prod/logs", service="nginx-test"}'
        stages:
        - regex:
            expression: '.*(?P<hits>GET /.*)'
        - metrics:
            nginx_get_hits:
              type: Counter
              description: "Total GET requests"
              source: hits
              config:
                action: inc

Verifying Metrics Endpoint

After configuring Promtail, verify that the metrics are being exposed correctly by accessing the /metrics endpoint. This endpoint provides the metrics in Prometheus exposition format.

$ curl http://localhost:9080/metrics
# HELP promtail_custom_nginx_get_hits Total GET requests
# TYPE promtail_custom_nginx_get_hits counter
promtail_custom_nginx_get_hits{filename="/var/log/nginx/access.log",job="prod/logs",logtype="info",service="nginx-test"} 801

Configuring Prometheus to Scrape Promtail Metrics

Next, configure Prometheus to scrape the metrics exposed by Promtail. This example uses ec2_sd_configs for service discovery, assuming your Promtail instances are running on EC2 instances tagged appropriately.

scrape_configs:
  # promtail-exporter
  - job_name: promtail-exporter
    scrape_interval: 15s
    ec2_sd_configs:
    - region: eu-west-1
      port: 9100
      filters:
        - name: tag:PromtailScrape
          values:
            - Enabled
    relabel_configs:
    - source_labels: [__meta_ec2_private_ip]
      replacement: '${1}:9080'
      target_label: __address__
    - source_labels: [__meta_ec2_tag_Name]
      target_label: instance

Ensure your EC2 instances are tagged with PromtailScrape=Enabled for Prometheus to discover and scrape them. You can verify this in Prometheus by querying up{job="promtail-exporter"}.

Querying Custom Metrics with PromQL

Once Prometheus is scraping the metrics, you can query them using PromQL. For instance, to see the increase in GET requests over a 5-minute interval:

increase(promtail_custom_nginx_get_hits{service="nginx-test"}[5m])

Setting Up Alerts Based on Custom Metrics

Custom log metrics are invaluable for setting up alerts. You can define alerting rules in Prometheus to notify you when certain thresholds are breached. For example, to alert if the number of GET requests exceeds 5000 within a 5-minute window:

  - name: loki-metric-alert
    groups:
      - name: loki_metric_alert
        rules:
        - alert: nginx_get_hits
          expr: sum(increase(promtail_custom_nginx_get_hits{service="nginx-test"}[5m])) > 5000
          for: 2m

Further Exploration

For more advanced metric configurations and troubleshooting, refer to the official Promtail documentation on pipeline stages and Prometheus documentation on PromQL functions.