Fluent Bit: Filtering Winlog Input by SourceName and EventType (.NET Runtime, Error) #10395
Unanswered
aamir-mansoori
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Title:
Fluent Bit: No Logs Sent to Loki When Filtering Windows Events by SourceName and EventType
Post Body:
Hi all,
I'm trying to send Windows Event Logs to Loki using Fluent Bit, but when I apply filters on the event SourceName and EventType, nothing shows up in Loki.
Here is the configuration I'm using:
`[INPUT]
Name winlog
Channels Application
Interval_Sec 1
Tag win
String_Inserts on
DB C:/fluent-bit/winlog.sqlite
[FILTER]
Name grep
Match win
Regex SourceName ^.NET Runtime$ EventType ^Error$
[FILTER]
Name record_modifier
Match win
Record module winlog
Record pool winlog
Record env stg
Record source fluentbit
Record service_name 26.60
Record thejob 26.60_winlog
[OUTPUT]
Name loki
Match win
Host <loki_host>
Port 3100
URI /loki/api/v1/push
Tenant_ID win
Labels job=$thejob,module=$module,pool=$pool,env=$env,role=$role,service_name=$service_name,filename=$filename,source=$source
Compress gzip
`
However, if I run the following command without any filters:
.\fluent-bit.exe -i winlog -p 'channels=Application' -o stdoutI get output like this (which contains the exact event I want):
[[1748400617.249933200, {}], { "RecordNumber"=>529664, "TimeGenerated"=>"2025-05-28 08:46:56 +0700", "TimeWritten"=>"2025-05-28 08:46:56 +0700", "EventID"=>1000, "Qualifiers"=>0, "EventType"=>"Error", "EventCategory"=>1, "Channel"=>"Application", "SourceName"=>".NET Runtime", "ComputerName"=>"SVR-STG026060", "Message"=>"Test error message", "StringInserts"=>["Test error message"] }]Beta Was this translation helpful? Give feedback.
All reactions