How to pair Grafana Drilldown with Loki for faster logging insights
Our logs can tell us so much about the state of our systems, but they can also be a bit overwhelming. Yes, Grafana Loki—and, by extension, Grafana Cloud Logs, which is powered by Loki—reimagined the way log aggregation systems could meet modern engineering demands, but logs, by their very nature, are still voluminous.
No one wants to waste time sifting through endless log lines, which is why we continue to invest in Grafana Logs Drilldown as a tool to help you find the information you need faster. With Logs Drilldown, you can easily filter your logs, dig deeper into your data using volume and text patterns, get automatic visualizations, and uncover related logs—all without having to write queries.
We’ve made a lot of improvements since we launched the app last year, so we want to share some of our favorite tips for getting the most from Logs Drilldown. We’ll also include segments from our GrafanaCON 2025 talk on the same topic to provide additional context.
So whether you’re new to Loki or highly proficient in LogQL, let’s show you how you can accelerate troubleshooting and reduce MTTR for your infrastructure and applications.
Shard your queries
Fetching data is an essential part of the Drilldown experience, and automatic stream sharding can really help get those results faster. Essentially, it splits a query into multiple individual queries that are run in sequence, which is particularly important when you’re dealing with high volumes of data and you want to avoid rate limiting on a single string.
Once you enable automatic stream sharding, Drilldown asks Loki for the values of __stream_shard__ and, if returned, it groups them to execute the current query in smaller sequential segments . To get a quick look at how this works in practice, check out the clip below:
Customize your view
We want you to get insights from the Drilldown apps insights quickly, and that means giving you the most relevant information for your specific use case as soon as you open the app.
Originally, we focused on organizing the landing page by services. This was helpful for some users, but we needed to accommodate a wider range of users. So now you can start from any dimension that you’d like.
For example, you could set it up so your logs are filtered by a service label, or maybe by a service label and an error label—or really any combination of labels you can come up with that fits your needs. On top of that, you can use multiple values within a single label, which enables you to look at the logs of two different services at the same time.
In the next segment from our talk, you’ll see how to do this in practice. Plus, we’ll walk you through how you can add additional dimensions to your logs to give you more filters to drill down on.
Sort forwards or backwards
We recently added a direction query attribute that lets you query your logs in two different orders: newest first or oldest first. This changes the underlying direction of the Loki query, making sure you are seeing the newest (or oldest) log lines that match your selected time range. We’ve also added a blue shade to the Logs Volume panel so you can easily see how you’re sorting your logs.
Since Loki queries are limited to 1,000 lines, being able to look at the head or the tail of the logs can really help narrow your view to the specific timeframe you want. Also, the blue shade on the volume panel offers a helpful reminder of exactly what part of my query you’re looking at results for.
Enable regex support
Regular expressions, or regexes, are essential when searching across logs, and Logs Drilldown fully supports them! Drilldown includes panels called line filters, which is our way of searching for strings within your logs. Within those panels you can toggle on regex support, which you can use for all our filters, including labels and fields.
By enabling regex search mode, you’re now able to build more complex queries that do more than simply match a certain string.
Check out this clip to see how you can do regex queries in Logs Drilldown. The video also includes a quick look at the time-based sorting feature we just discussed.
Visualize logs—automatically
We know people use Loki for all sorts of things, from responding to an incident to simply exploring data. That’s why we give you different views to best fit your needs.
Use the logs view to focus on the content of your log lines. You can also complement it with different fields and read your logs as a list of text, with visualization options for line wrapping, font size, and more. The table has a columnar view where you can add, move, or remove columns—and change the sort order of each. This view is great for focusing on field values in a familiar spreadsheet-like presentation. For example, you could use it to sort by criteria other than timestamp.
And now we’ve added a third, experimental view for JSON logs. No one enjoys looking for a field in a squished line of JSON, but with this new view you can see JSON the way it’s meant to be seen. You can inspect any of the fields, add fields to your query to filter logs, and expand nested objects. And thanks to a small change in the Loki JSON parser that allows us to maintain the original jsonpath to each field, we’re now able to modify the query so that you see that same nested object across all your log lines!
Find patterns in JSON logs
Drilldown is great for quickly finding interesting patterns in your logs, but when we originally launched Drilldown, we couldn’t do patterns for JSON. That’s because JSON logs tend to be long and have a lot of structure to them, which created real issues with our tokenization for finding patterns.
To get around this, we’ve stopped trying to tokenize the whole JSON log line, and instead focused on unique fields that you can configure, which enables you to find patterns in those fields.
In the clip below, you’ll see how to use Drilldown with JSON log lines.
Use advanced sorting and numeric filtering
The features we’ve discussed so far are great for getting a high-level visualization of your logs, which you can then further drill down into to find the logs you’re looking for. But what if you don’t know what you’re looking for?
This is where our advanced sorting and filtering comes into play. We have many different sorting options, such as those with the highest spikes, or the lowest drop, or the widest spread. You can even use machine learning algorithms to sort your time series, or use outlier detection to sort by logs with the most-aligned values.
And finally, if your fields are numeric, such as duration or size, you can filter for different intervals when you’re looking beyond a certain value. For example, when looking for a slow operation, you probably aren’t looking for a discrete duration value but instead looking for all logs with a duration value above a certain threshold. This is exactly what comparison filtering enables!
In this final clip, you’ll get a quick look at how you can use those numeric filters.
Dig deeper into Grafana Drilldown
If you’d like to dig deeper into any of the tips we’ve outlined here, we’ve set up a Grafana Play environment where you can test them out. We’ve included data sets that are specifically designed to highlight the functionality we’ve discussed here, so there’s plenty of opportunity to learn more.
And we aren’t stopping there. In the months since we originally gave our talk, we’ve made even more improvements to Logs Drilldown, including a completely redesigned logs visualization, with new features like log syntax highlighting, client side search, font size options, nanosecond-precision timestamps, redesigned log details that can be displayed inline or as a sidebar, and more.
And while we love logs, the Drilldown experience isn’t confined to just one telemetry type. We also have apps for metrics with Grafana Mimir, traces with Grafana Tempo, and profiles with Grafana Pyroscope, so check those out as well for more ways to dig deeper into your telemetry.
Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!
