Using Loki in Grafana

Grafana ships with built-in support for Loki, an open source log aggregation system by Grafana Labs. This topic explains options, variables, querying, and other options specific to this data source.

Add it as a data source and you are ready to build dashboards or query your log data in Explore. Refer to Add a data source for instructions on how to add a data source to Grafana. Only users with the organization admin role can add data sources.

Hosted Loki

You can run Loki on your own hardware or use Grafana Cloud. The free forever plan includes Grafana, 50 GB of Loki logs, 10K Prometheus series, and more. Create a free account to get started.

Loki settings

To access Loki settings, click the Configuration (gear) icon, then click Data Sources, and then click the Loki data source.

NameDescription
NameThe data source name. This is how you refer to the data source in panels, queries, and Explore.
DefaultDefault data source that is pre-selected for new panels.
URLURL of the Loki instance, e.g., http://localhost:3100.
Allowed cookiesGrafana Proxy deletes forwarded cookies by default. Specify cookies by name that should be forwarded to the data source.
Maximum linesUpper limit for the number of log lines returned by Loki (default is 1000). Lower this limit if your browser is sluggish when displaying logs in Explore.

Note: To troubleshoot configuration and other issues, check the log file located at /var/log/grafana/grafana.log on Unix systems or in <grafana_install_dir>/data/log on other platforms and manual installations.

Derived fields

The Derived Fields configuration allows you to:

  • Add fields parsed from the log message.
  • Add a link that uses the value of the field.

For example, you can use this functionality to link to your tracing backend directly from your logs, or link to a user profile page if a userId is present in the log line. These links appear in the log details.

Each derived field consists of:

  • Name - Shown in the log details as a label.
  • Regex - A Regex pattern that runs on the log message and captures part of it as the value of the new field. Can only contain a single capture group.
  • URL/query - If the link is external, then enter the full link URL. If the link is internal link, then this input serves as query for the target data source. In both cases, you can interpolate the value from the field with ${__value.raw} macro.
  • URL Label - (Optional) Set a custom display label for the link. The link label defaults to the full external URL or name of the linked internal data source and is overridden by this setting.
  • Internal link - Select if the link is internal or external. In case of internal link, a data source selector allows you to select the target data source. Only tracing data sources are supported.

You can use a debug section to see what your fields extract and how the URL is interpolated. Click Show example log message to show the text area where you can enter a log message.

Screenshot of the derived fields debugging Screenshot of the derived fields debugging Loki - 图2

The new field with the link shown in log details:

Detected fields link in Explore Detected fields link in Explore Loki - 图4

Loki query editor

You can use the Loki query editor to create log and metric queries.

NameDescription
Query expressionLoki query expression, refer to the LogQL documentation for more information.
Query typeChoose the type of query to run. The instant type queries against a single point in time. We are using “To” time from the time range. The range type queries over the selected range of time.
Line limitUpper limit for number of log lines returned by query. The default is the Maximum lines limit set in Loki settings.
LegendAvailable only in Dashboard. Controls the name of the time series, using name or pattern. For example {{hostname}} is replaced with the label value for the label hostname.

Log browser

With Loki log browser you can easily navigate through your list of labels and values and construct the query of your choice. Log browser has multi-step selection:

  1. Choose the labels you would like to consider for your search.
  2. Pick the values for selected labels. Log browser supports facetting and therefore it shows you only possible label combinations.
  3. Choose the type of query - logs query or rate metrics query. Additionally, you can also validate selector.

Screenshot of the log browser for Loki Screenshot of the log browser for Loki Loki - 图6

Querying with Loki

There are two types of LogQL queries:

  • Log queries - Return the contents of log lines.
  • Metric queries - Extend log queries and calculate sample values based on the content of logs from a log query.

Log queries

Querying and displaying log data from Loki is available via Explore, and with the logs panel in dashboards. Select the Loki data source, and then enter a LogQL query to display your logs.

A log query consists of two parts: log stream selector, and a log pipeline. For performance reasons begin by choosing a log stream by selecting a log label.

Log context

When using a search expression as detailed above, you can retrieve the context surrounding your filtered results. By clicking the Show Context link on the filtered rows, you’ll be able to investigate the log messages that came before and after the log message you’re interested in.

Live tailing

Loki supports Live tailing which displays logs in real-time. This feature is supported in Explore.

Note that Live Tailing relies on two Websocket connections: one between the browser and the Grafana server, and another between the Grafana server and the Loki server. If you run any reverse proxies, please configure them accordingly. The following example for Apache2 can be used for proxying between the browser and the Grafana server:

  1. ProxyPassMatch "^/(api/datasources/proxy/\d+/loki/api/v1/tail)" "ws://127.0.0.1:3000/$1"

The following example shows basic NGINX proxy configuration. It assumes that the Grafana server is available at http://localhost:3000/, Loki server is running locally without proxy, and your external site uses HTTPS. If you also host Loki behind NGINX proxy, then you might want to repeat the following configuration for Loki as well.

In the http section of NGINX configuration, add the following map definition:

  1. map $http_upgrade $connection_upgrade {
  2. default upgrade;
  3. '' close;
  4. }

In your server section, add the following configuration:

  1. location ~ /(api/datasources/proxy/\d+/loki/api/v1/tail) {
  2. proxy_pass http://localhost:3000$request_uri;
  3. proxy_set_header Host $host;
  4. proxy_set_header X-Real-IP $remote_addr;
  5. proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
  6. proxy_set_header X-Forwarded-Proto "https";
  7. proxy_set_header Connection $connection_upgrade;
  8. proxy_set_header Upgrade $http_upgrade;
  9. }
  10. location / {
  11. proxy_pass http://localhost:3000/;
  12. proxy_set_header Host $host;
  13. proxy_set_header X-Real-IP $remote_addr;
  14. proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
  15. proxy_set_header X-Forwarded-Proto "https";
  16. }

Note: This feature is only available in Grafana v6.3+.

Metric queries

LogQL supports wrapping a log query with functions that allow for creating metrics out of the logs. See LogQL documentation on how to create and use metrics queries.

Templating

Instead of hard-coding things like server, application and sensor name in your metric queries, you can use variables in their place. Variables are shown as drop-down select boxes at the top of the dashboard. These drop-down boxes make it easy to change the data being displayed in your dashboard.

Check out the Templating documentation for an introduction to the templating feature and the different types of template variables.

Query variable

Variable of the type Query allows you to query Loki for a list labels or label values. The Loki data source plugin provides the following functions you can use in the Query input field.

NameDescription
label_names()Returns a list of label names.
label_values(label)Returns a list of label values for the label.
label_values(log stream selector, label)Returns a list of label values for the label in the specified log stream selector.

Ad hoc filters variable

Loki supports the special ad hoc filters variable type. It allows you to specify any number of label/value filters on the fly. These filters are automatically applied to all your Loki queries.

Using interval and range variables

You can use some global built-in variables in query variables; $__interval, $__interval_ms, $__range, $__range_s and $__range_ms. For more information, refer to Global built-in variables.

Annotations

You can use any non-metric Loki query as a source for annotations. Log content will be used as annotation text and your log stream labels as tags, so there is no need for additional mapping.

Configure the data source with provisioning

You can set up the data source via config files with Grafana’s provisioning system. You can read more about how it works and all the settings you can set for data sources on the provisioning docs page

Here is an example:

  1. apiVersion: 1
  2. datasources:
  3. - name: Loki
  4. type: loki
  5. access: proxy
  6. url: http://localhost:3100
  7. jsonData:
  8. maxLines: 1000

Here’s another with basic auth and derived field. Keep in mind that $ character needs to be escaped in YAML values as it is used to interpolate environment variables:

  1. apiVersion: 1
  2. datasources:
  3. - name: Loki
  4. type: loki
  5. access: proxy
  6. url: http://localhost:3100
  7. basicAuth: true
  8. basicAuthUser: my_user
  9. basicAuthPassword: test_password
  10. jsonData:
  11. maxLines: 1000
  12. derivedFields:
  13. # Field with internal link pointing to data source in Grafana.
  14. # Right now, Grafana supports only Jaeger and Zipkin data sources as link targets.
  15. # datasourceUid value can be anything, but it should be unique across all defined data source uids.
  16. - datasourceUid: my_jaeger_uid
  17. matcherRegex: "traceID=(\\w+)"
  18. name: TraceID
  19. # url will be interpreted as query for the datasource
  20. url: '$${__value.raw}'
  21. # Field with external link.
  22. - matcherRegex: "traceID=(\\w+)"
  23. name: TraceID
  24. url: 'http://localhost:16686/trace/$${__value.raw}'

Here’s an example of a Jaeger data source corresponding to the above example. Note that the Jaeger uid value does match the Loki datasourceUid value.

  1. datasources:
  2. - name: Jaeger
  3. type: jaeger
  4. url: http://jaeger-tracing-query:16686/
  5. access: proxy
  6. # UID should match the datasourceUid in dervidedFields.
  7. uid: my_jaeger_uid