Grafana LokiLogQLMatching IP addresses

Matching IP addresses

Matching IP addresses is an experimental feature.

LogQL supports matching IP addresses.

With logs such as

3.180.71.3 - - [17/May/2015:08:05:32 +0000] "GET /downloads/product_1 HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"
80.91.33.133 - - [17/May/2015:08:05:14 +0000] "GET /downloads/product_1 HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.16)"
46.4.66.76 - - [17/May/2015:08:05:45 +0000] "GET /downloads/product_1 HTTP/1.1" 404 318 "-" "Debian APT-HTTP/1.3 (1.0.1ubuntu2)"
93.180.71.3 - - [17/May/2015:08:05:26 +0000] "GET /downloads/product_1 HTTP/1.1" 404 324 "-" "Debian APT-HTTP/1.3 (0.8.16~exp12ubuntu10.21)"

the LogQL line filter is not sufficient. A line filter such as

{job_name="myapp"} |= "3.180.71.3"

also matches example IP addresses such as 93.180.71.3. A better choice uses a regexp: |~"^3.180.71.3". This regexp does not handle IPv6 addresses, and it does not match a range of IP addresses.

The LogQL support for matching IP addresses handles both IPv4 and IPv6 single addresses, as well as ranges within IP addresses and CIDR patterns.

Match IP addresses with the syntax: ip("<pattern>"). The <pattern> can be:

  • A single IP address. Examples: ip("192.0.2.0"), ip("::1")
  • A range within the IP address. Examples: ip("192.168.0.1-192.189.10.12"), ip("2001:db8::1-2001:db8::8")
  • A CIDR specification. Examples: ip("192.51.100.0/24"), ip("2001:db8::/32")

The IP matching can be used in both line filter and label filter expressions. When specifying line filter expressions, only the |= and != operations are allowed. When specifying label filter expressions, only the = and != operations are allowed.

  • Line filter examples

    {job_name="myapp"} |= ip("192.168.4.5/16")

    Return log lines that do not match with an IPv4 range:

    {job_name="myapp"} != ip("192.168.4.5-192.168.4.20")

  • Label filter examples

    {job_name="myapp"}
    | logfmt
    | remote_addr = ip("2001:db8::1-2001:db8::8")
    | level = "error"

    Filters can be chained. This example matches log lines with all IPv4 subnet values 192.168.4.5/16 except IP address 192.168.4.2:

    {job_name="myapp"}
    | logfmt
    | addr = ip("192.168.4.5/16")
    | addr != ip("192.168.4.2")
Related Enterprise Logs resources
Grafana Enterprise Logs: Logging with security and scale

Join us for this webinar, which will cover: Challenges with logging as organizations scale and the volume of logs explodes, how Grafana Enterprise Logs enables organizations to make logs available to any team members who need them, features available in GEL and how to get access, a live product demo so you can see GEL for the first time

VIDEO: Watch this first-look demo of the new Grafana Enterprise Logs

Based on Loki, Grafana Enterprise Logs is part of the Grafana Enterprise Stack for composing and scaling observability on your own infrastructure.

Introducing Grafana Enterprise Logs, a core part of the Grafana Enterprise Stack integrated observability solution

Powered by the Loki open source project, the Enterprise Logs offering joins metrics and dashboards in our enterprise-ready stack for self-managed observability.