Promtail: unable to discard logs based on pattern

Question

I want Promtail to discard logs that contain the word "connection". I browsed a lot of examples on line, and none of them seem to work when I include it in my Promtail YAML file. Furthermore, every attempt has finished with my Promtail docker failing to start up :o(

The following is the contents of my YAML file. Commented lines represent my 4 attempts, but I left them commented in order to recover my docker´s operational status.

Assuming that any of the following examples were added (i.e. if I uncomment the lines): ¿ what Am I doing wrong? Any hints will be greatly appreciated! Thanks!

LAST BUT NOT LEAST: the current YAML (please see below) allows me to add a set of labels to other log lines. The filter I wish to add must coexist with the current configuration!

scrape_configs:
  - job_name: syslog
    syslog:
      listen_address: 0.0.0.0:1514
      idle_timeout: 60s
      label_structured_data: no
      labels:
        job: "syslog"
    relabel_configs:
      - source_labels: ['__syslog_message_hostname']
        target_label: 'host'
    pipeline_stages:
# example 1
#      - match:
#          stages:      
#            - drop:
#                expression: '.*connection.*'
# example 2
#      - match:
#          expression: ".*connection.*"
#          action: drop
# example 3
#      - drop:
#          regex: ".*connection.*" 
# example 4
#      - drop: 
#         expression: ".*connection.*"
      - regex:
          expression: '.*hostname=(?P<hostname>[A-Z0-9_-]{16}).*devicetype=(?P<devicetype>[A-Z0-3]{2}).*country=(?P<country>[A-Z]{2}).*site=(?P<site>[A-Z_-]$
      - labels:
          hostname:
          devicetype:
          country:
          site:

Following online examples, I tried four different approaches to pattern matching and associated drop as shown above. All of them finished with my Promtail docker failing to start up

Answer 1

I think I got it. I split the pipeline_stages area in two match sections. I am much better now; at least promtail does not abort when it starts.

I am controlling in Grafana, for the time being I do not see the annoying messages with the "connection" string.

pipeline_stages:
  - match:
      selector: '{job="syslog"} |= "connection"'
      action: drop
  - match:
      selector: '{job="syslog"} != "connection"'
      action: keep
      stages:
        - regex:
            expression: '.*hostname=(?P<hostname>[A-Z0-9_-]{16}).*devicetype=(?P<devicetype>[A-Z0-3]{2}).*country=(?P<country>[A-Z]{2}).*site=(?P<site>[A-Z_-]{9}).*[%][A-Z]{3}[-](?P<loglevel>[0-7]).*'
        - labels:
            hostname:
            devicetype:
            country:
            site:
            loglevel:

Answer 2

I think the problem is that I want to do two mutually exclusive things in the same place. I have been reading a bit more, and it seems I have to split somehow my intention within pipelines_stages.

The problem I have to solve is: If logs have a "connection" string within them discard them else execute the regex and apply the labels to them

Answer 3

I solved the issue. I split the pipeline_stages section. That made the magic:

    target_label: 'host'
pipeline_stages:
  - match:
      selector: '{job="syslog"} |= "EOF"'
      action: drop
  - match:
      selector: '{job="syslog"} |= "connection"'
      action: drop
  - match:
      selector: '{job="syslog"} != "connection"'
      action: keep
      stages:
        - regex:
            expression: '.*hostname=(?P<hostname>[A-Z0-9_-]{16}).*devicetype=(?P<devicetype>[A-Z0-3]{2}).*country=(?P<country>[A-Z]{2}).*site=(?P<site>[A-Z_-]{9}).*[%][A-Z]{3}[-](?P<loglevel>[0-7]).*'
        - labels:
            hostname:
            devicetype:
            country:
            site:
            loglevel: