How to escape special characters with Loki’s LogQL

Published: 5 Jan 2021

In my ongoing Loki how-to series, I have already shared all the best tips for creating fast filter queries that can filter terabytes of data in seconds.

In this installment, I’ll reveal how to correctly escape special characters within a string in Loki’s LogQL.

When writing LogQL queries, you may have realized that in multiple places you have to write strings delimited by double quotes. This is true for label matchers, line filters, regexes, and label filters — well, we use double-quoted strings in a lot of places.

But problems arise when you suddenly want to filter a line that contains double quotes. For example, this filter query …

{namespace="loki-ops",container="query-frontend"} |= """

… will return a parse error because Loki thinks you did not close your double-quoted string.

Here’s another example: This time let’s pretend we’re looking at Windows containers. It’s the same idea in that this kind of query…

{namespace="dev",container="win-broker"} |= "c:\Users\test\null"

…will result in an error because \U,\t, and \n are considered special characters.

So you need to escape those special characters. The way to escape is to use \ in front of the special characters. 

{namespace="loki-ops",container="query-frontend"} |= "\”"
{namespace="dev",container="win-broker"} |= "c:\\Users\\test\\null"

Last but not least, when doing regexes, there are even more special characters (\,.,+,?, etc.) that are in play. For instance, if you want to match a digit \d or a point ., you’ll also need to escape those.

So if you want to extract IP addresses, the query would look like this:

{namespace="grafana-com",container="nginx"} |= "/observabilitycon" != "assets" |  regexp "(?P<ipaddress>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" 

That’s a lot of \-s, and it’s super easy to get confused.

But good news: There’s a cooler way to do this in Loki! You can use what we call raw strings, which don’t need escaping. Raw strings are backtick (```) quoted strings. 

The three examples above are way simpler with raw strings:

{namespace="loki-ops",container="query-frontend"} |= `"`
{namespace="dev",container="win-broker"} |= `c:\Users\test\null`
{namespace="grafana-com",container="nginx"} |= "/observabilitycon" != "assets" |  regexp `(?P<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`

The only catch with raw strings is if you actually need to escape a character like a backtick (```), since it marks the end and beginning of a raw string, you can’t! So in that case, you need to use strings.

I hope this clears any confusion around escaping characters in LogQL. Raw strings are super simple to use and should be preferred when writing regexes. Make sure to read the full LogQL documentation for more details.

And if you’re interested, you can install Loki yourself or get started with Loki in minutes with Grafana Cloud. We’ve just announced new free and paid Grafana Cloud plans to suit every use case — sign up for free now.

Related Posts

Grafana 7.0, Loki 101, Prometheus how-tos, introducing Tempo tracing: Here's a look at some of the highlights of the year from the Grafana Labs blog.
Revisit the Loki project's accomplishments—culminating in the major 2.0 release—and find out why we're so excited about what's to come.
We are heavily invested in the success of the Cortex project and any user that adopts it. As we were already partnering with AWS on its new managed Grafana service, it was a no-brainer to help AWS with Cortex.