Using Loki in Grafana

Using Loki in Grafana

Grafana ships with built-in support for Loki, an open source log aggregation system by Grafana Labs. This topic explains options, variables, querying, and other options specific to this data source.

Add it as a data source and you are ready to build dashboards or query your log data in Explore. Refer to Add a data source for instructions on how to add a data source to Grafana. Only users with the organization admin role can add data sources.

Hosted Loki

You can run Loki on your own hardware or use Grafana Cloud. The free forever plan includes Grafana, 50 GB of Loki logs, 10K Prometheus series, and more. Create a free account to get started.

Loki settings

To access Loki settings, click the Configuration (gear) icon, then click Data Sources, and then click the Loki data source.

Name	Description
`Name`	The data source name. This is how you refer to the data source in panels, queries, and Explore.
`Default`	Default data source that is pre-selected for new panels.
`URL`	URL of the Loki instance, e.g., `http://localhost:3100`.
`Allowed cookies`	Grafana Proxy deletes forwarded cookies by default. Specify cookies by name that should be forwarded to the data source.
`Maximum lines`	Upper limit for the number of log lines returned by Loki (default is 1000). Lower this limit if your browser is sluggish when displaying logs in Explore.

Note: To troubleshoot configuration and other issues, check the log file located at /var/log/grafana/grafana.log on Unix systems or in <grafana_install_dir>/data/log on other platforms and manual installations.

Derived fields

The Derived Fields configuration allows you to:

Add fields parsed from the log message.
Add a link that uses the value of the field.

For example, you can use this functionality to link to your tracing backend directly from your logs, or link to a user profile page if a userId is present in the log line. These links appear in the log details.

Note: Grafana Cloud users can request modifications to this feature by opening a support ticket in the Cloud Portal.

Each derived field consists of:

Name - Shown in the log details as a label.
Regex - A Regex pattern that runs on the log message and captures part of it as the value of the new field. Can only contain a single capture group.
URL/query - If the link is external, then enter the full link URL. If the link is internal link, then this input serves as query for the target data source. In both cases, you can interpolate the value from the field with ${__value.raw} macro.
URL Label - (Optional) Set a custom display label for the link. The link label defaults to the full external URL or name of the linked internal data source and is overridden by this setting.
Internal link - Select if the link is internal or external. In case of internal link, a data source selector allows you to select the target data source. Only tracing data sources are supported.

You can use a debug section to see what your fields extract and how the URL is interpolated. Click Show example log message to show the text area where you can enter a log message.

Screenshot of the derived fields debugging

The new field with the link shown in log details:

Detected fields link in Explore

Loki query editor

Loki query editor is separated into 2 distinct modes that you can switch between. See docs for each section below.

At the top of the editor, select Run queries to run a query. Select Builder | Code tabs to switch between the editor modes. If the query editor is in Builder mode, there are additional elements explained in the Builder section.

Note: In Explore, to run Loki queries, select Run query.

Each mode is synchronized with the other modes, so you can switch between them without losing your work, although there are some limitations. Some more complex queries are not yet supported in the builder mode. If you try to switch from Code to Builder with such query, editor will show a popup explaining that you can lose some parts of the query, and you can decide if you still want to continue to Builder mode or not.

Code mode

Code mode allows you to write raw queries in a textual editor. It implements autocomplete features and syntax highlighting to help with writing complex queries. In addition, it also contains Log browser to further aid with writing queries (see more docs below).

For more information about Loki query language, refer to the Loki documentation.

Autocomplete

Autocomplete kicks automatically in appropriate times during typing. Autocomplete can suggest both static functions, aggregations and parsers but also dynamic items like labels. Autocomplete dropdown also shows documentation for the suggested items, either static one or dynamic metric documentation where available.

Log browser

With Loki log browser you can easily navigate through your list of labels and values and construct the query of your choice. Log browser has multi-step selection:

Choose the labels you would like to consider for your search.
Search for the values for selected labels. Search filed supports fuzzy search. Log browser also supports facetting and therefore it shows you only possible label combinations.
Choose the type of query - logs query or rate metrics query. Additionally, you can also validate selector.

Screenshot of the log browser for Loki

Options

Name	Description
`Type`	Choose the type of query to run. The `instant` type queries against a single point in time. We are using “To” time from the time range. The `range` type queries over the selected range of time.
`Line limit`	Upper limit for number of log lines returned by query. The default is the Maximum lines limit set in Loki settings.
`Legend`	Available only in Dashboard. Controls the name of the time series, using name or pattern. For example `{{hostname}}` is replaced with the label value for the label `hostname`.
`Resolution`	Resolution 1/1 sets step parameter of Loki metrics range queries such that each pixel corresponds to one data point. For better performance, lower resolutions can be picked. 1/2 only retrieves a data point for every other pixel, and 1/10 retrieves one data point per 10 pixels.

Builder mode

In addition to Run query button and mode switcher, in builder mode additional elements are available:

Name	Description
Query patterns	A list of useful operation patterns that can be used to quickly add multiple operations to your query to achieve a specific goal.
Explain	Toggle to show a step by step explanation of all query parts and the operations.
Raw query	Toggle to show raw query generated by the builder that will be sent to Loki instance.

Labels selector

Select desired labels and their values from the dropdown list. When label is selected, available values are fetched from the server. Use the + button to add more labels. Use the x button to remove a label.

Operations

Use the + Operations button to add operation to your query. Operations are grouped into sections for easier navigation. When the operations dropdown is open, write into the search input to search and filter operations list.

Operations in a query are shown as boxes in the operations section. Each has a header with a name and additional action buttons. Hover over the operation header to show the action buttons. Click the v button to quickly replace the operation with different one of the same type. Click the info button to open operations’ description tooltip. Click the x button to remove the operation.

Operation can have additional parameters under the operation header. See the operation description or Loki docs for more details about each operation.

Some operations make sense only in specific order, if adding an operation would result in nonsensical query, operation will be added to the correct place. To order operations manually drag operation box by the operation name and drop in appropriate place.

Hints

In same cases the query editor can detect which operations would be most appropriate for a selected log stream. In such cases it will show a hint next to the + Operations button. Click on the hint to add the operations to your query.

Explain mode

Explain mode helps with understanding the query. It shows a step by step explanation of all query parts and the operations.

Raw query

This section is shown only if the Raw query switch from the query editor top toolbar is set to on. It shows the raw query that will be created and executed by the query editor.

Querying with Loki

There are two types of LogQL queries:

Log queries
Metric queries

Log queries

Loki log queries return the contents of the log lines. Querying and displaying log data from Loki is available via Explore, and with the logs panel in dashboards. Select the Loki data source, and then enter a LogQL query to display your logs.F or more information about log queries and LogQL, refer to the Loki log queries documentation

Log context

When using a search expression as detailed above, you can retrieve the context surrounding your filtered results. By clicking the Show Context link on the filtered rows, you’ll be able to investigate the log messages that came before and after the log message you’re interested in.

Live tailing

Loki supports Live tailing which displays logs in real-time. This feature is supported in Explore.

Note that Live Tailing relies on two Websocket connections: one between the browser and the Grafana server, and another between the Grafana server and the Loki server. If you run any reverse proxies, please configure them accordingly. The following example for Apache2 can be used for proxying between the browser and the Grafana server:

ProxyPassMatch "^/(api/datasources/proxy/\d+/loki/api/v1/tail)" "ws://127.0.0.1:3000/$1"

The following example shows basic NGINX proxy configuration. It assumes that the Grafana server is available at http://localhost:3000/, Loki server is running locally without proxy, and your external site uses HTTPS. If you also host Loki behind NGINX proxy, then you might want to repeat the following configuration for Loki as well.

In the http section of NGINX configuration, add the following map definition:

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

In your server section, add the following configuration:

  location ~ /(api/datasources/proxy/\d+/loki/api/v1/tail) {
      proxy_pass          http://localhost:3000$request_uri;
      proxy_set_header    Host              $host;
      proxy_set_header    X-Real-IP         $remote_addr;
      proxy_set_header    X-Forwarded-for   $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Proto "https";
      proxy_set_header    Connection        $connection_upgrade;
      proxy_set_header    Upgrade           $http_upgrade;
  }
  location / {
      proxy_pass          http://localhost:3000/;
      proxy_set_header    Host              $host;
      proxy_set_header    X-Real-IP         $remote_addr;
      proxy_set_header    X-Forwarded-for   $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Proto "https";
  }

Note: This feature is only available in Grafana v6.3+.

Metric queries

LogQL supports wrapping a log query with functions that allow for creating metrics out of the logs. For more information about metric queries, refer to the Loki metric queries documentation

Templating

Instead of hard-coding things like server, application and sensor name in your metric queries, you can use variables in their place. Variables are shown as drop-down select boxes at the top of the dashboard. These drop-down boxes make it easy to change the data being displayed in your dashboard.

Check out the Templating documentation for an introduction to the templating feature and the different types of template variables.

Query variable

Variable of the type Query allows you to query Loki for a list labels or label values. The Loki data source plugin provides the following functions you can use in the Query input field.

Name	Description
`label_names()`	Returns a list of label names.
`label_values(label)`	Returns a list of label values for the `label`.
`label_values(log stream selector, label)`	Returns a list of label values for the `label` in the specified `log stream selector`.

Ad hoc filters variable

Loki supports the special ad hoc filters variable type. It allows you to specify any number of label/value filters on the fly. These filters are automatically applied to all your Loki queries.

Using interval and range variables

You can use some global built-in variables in query variables; $__interval, $__interval_ms, $__range, $__range_s and $__range_ms. For more information, refer to Global built-in variables.

Annotations

You can use any non-metric Loki query as a source for annotations. Log content will be used as annotation text and your log stream labels as tags, so there is no need for additional mapping.

Configure the data source with provisioning

You can set up the data source via config files with Grafana’s provisioning system. You can read more about how it works and all the settings you can set for data sources on the provisioning docs page

Here is an example:

apiVersion: 1
datasources:
  - name: Loki
    type: loki
    access: proxy
    url: http://localhost:3100
    jsonData:
      maxLines: 1000

Here’s another with basic auth and derived field. Keep in mind that $ character needs to be escaped in YAML values as it is used to interpolate environment variables:

apiVersion: 1
datasources:
  - name: Loki
    type: loki
    access: proxy
    url: http://localhost:3100
    basicAuth: true
    basicAuthUser: my_user
    jsonData:
      maxLines: 1000
      derivedFields:
        # Field with internal link pointing to data source in Grafana.
        # Right now, Grafana supports only Jaeger and Zipkin data sources as link targets.
        # datasourceUid value can be anything, but it should be unique across all defined data source uids.
        - datasourceUid: my_jaeger_uid
          matcherRegex: "traceID=(\\w+)"
          name: TraceID
          # url will be interpreted as query for the datasource
          url: '$${__value.raw}'
        # Field with external link.
        - matcherRegex: "traceID=(\\w+)"
          name: TraceID
          url: 'http://localhost:16686/trace/$${__value.raw}'
    secureJsonData:
      basicAuthPassword: test_password

Here’s an example of a Jaeger data source corresponding to the above example. Note that the Jaeger uid value does match the Loki datasourceUid value.

datasources:
    - name: Jaeger
      type: jaeger
      url: http://jaeger-tracing-query:16686/
      access: proxy
      # UID should match the datasourceUid in dervidedFields.
      uid: my_jaeger_uid

Loki